Ivanti EPMM Zero-Day Vulnerability Exploited in Active Attacks

Ivanti EPMM Zero-Day Vulnerability Exploited in Active Attacks

First seen 7 May 2026, 15:53 UTC www.theregister.comBleepingcomputerCybersecuritynewsCyberscoopGround.News+12 91% similarity 72.9

Article Content

Browse articles
ThreatCluster

Ivanti has disclosed a zero-day vulnerability (CVE-2026-6973) in its Endpoint Manager Mobile (EPMM) product, which has been actively exploited by attackers. This flaw allows authenticated users with administrative privileges to execute arbitrary code remotely on affected systems. Ivanti issued patches for this and four other high-severity vulnerabilities on May 7, 2026. The vulnerability affects EPMM versions 12.8.0.0 and earlier. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this CVE to its list of exploited vulnerabilities and mandated federal agencies to patch their systems by May 10, 2026. Ivanti previously disclosed two critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in January 2026, which have also been exploited. The current exploitation requires administrative access, limiting the immediate impact but still posing significant risks to organizations that have not followed prior security recommendations.

Key Points: • CVE-2026-6973 is a zero-day vulnerability in Ivanti EPMM, actively exploited since May 7, 2026. • The vulnerability allows remote code execution for authenticated users with admin privileges. • CISA has mandated federal agencies to patch affected systems by May 10, 2026.

ThreatCluster AI

Timeline

2026-01-29
CVE-2026-1281 and CVE-2026-1340 published
Ivanti disclosed two critical vulnerabilities in EPMM, both allowing unauthenticated remote code execution.
The Register
2026-04-08
CVE-2026-1340 added to CISA KEV
CISA added CVE-2026-1340 to its list of known exploited vulnerabilities, urging immediate action.
BleepingComputer
2026-05-07
CVE-2026-6973 disclosed and exploited
Ivanti confirmed active exploitation of CVE-2026-6973, requiring admin authentication for successful attacks.
CyberScoop
2026-05-07
CISA adds CVE-2026-6973 to KEV
CISA included CVE-2026-6973 in its catalog of known exploited vulnerabilities, urging rapid patching.
BleepingComputer
2026-05-07
CVE-2026-5788 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-07
CVE-2026-5786 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-07
CVE-2026-5787 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-07
CVE-2026-7821 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-08
Ivanti issues security update
Ivanti released patches for CVE-2026-6973 and four other vulnerabilities, urging immediate application.
Ivanti

Community

Browse all →