Software provider Ivanti has released security updates for a newly identified vulnerability in its Endpoint Manager Mobile (EPMM) platform after confirming that the flaw has already been used in limited zero-day attacks.
The vulnerability, tracked as CVE-2026-6973, has been classified as high severity. According to Ivanti, the issue is caused by improper input validation, which refers to a weakness in how an application processes and checks incoming data before handling a request. If exploited successfully, the flaw could allow a remote attacker with administrator-level access to run arbitrary code on vulnerable systems.
Ivanti stated that the vulnerability affects EPMM version 12.8.0.0 and earlier releases. To reduce exposure, the company has issued patched versions including EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1. The company is also advising customers to review accounts with administrative privileges and rotate credentials where necessary, particularly in environments where earlier compromise activity may have occurred.
In its advisory, Ivanti said the exploitation activity observed so far appears to be limited in scope and requires valid administrator authentication in order to succeed. The company added that it has not identified active exploitation involving the additional vulnerabilities disclosed alongside CVE-2026-6973.
Ivanti also clarified that the issue impacts only the on-premises version of Endpoint Manager Mobile. The company said the flaw does not affect Ivanti Neurons for MDM, which is its cloud-based endpoint management platform. Other products, including Ivanti EPM and Ivanti Sentry, were also listed as unaffected.
Data published by internet monitoring organization Shadowserver Foundation currently shows more than 850 internet-accessible IP addresses associated with Ivanti EPMM deployments. Most of the exposed systems appear to be located in Europe, followed by North America. However, there is still no public visibility into how many of those servers have already installed the latest patches.
Alongside the actively exploited flaw, Ivanti disclosed fixes for four additional high-severity vulnerabilities identified as CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. According to the company, these flaws could potentially be used to obtain administrator access, impersonate registered Sentry hosts to receive valid certificate authority-signed client certificates, invoke unauthorized methods, or gain access to restricted information stored within affected environments.
The company stated that it currently has no evidence showing these four vulnerabilities have been exploited in real-world attacks. Ivanti also noted that CVE-2026-7821 affects only organizations using Apple Device Enrollment configurations.
The latest disclosure follows earlier security incidents involving Ivanti EPMM earlier this year. In January, the company disclosed two separate code-injection vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, which were also exploited as zero-days against what Ivanti described at the time as a very limited number of customers.
Ivanti now says customers who followed its earlier recommendation to rotate credentials after the January incidents are likely to face a significantly lower risk of exploitation from CVE-2026-6973. The guidance reflects a growing concern within the cybersecurity industry that attackers often attempt to reuse stolen administrative credentials across multiple intrusion campaigns.
The issue also drew attention from the U.S. Cybersecurity and Infrastructure Security Agency earlier this year. In April, the agency instructed federal civilian agencies to secure vulnerable systems against attacks involving CVE-2026-1340 within four days after adding th
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: