Ivanti EPMM Zero-Day Exploited in New Attack: CVE-2026-6973 Under Active Exploitation

Ivanti EPMM Zero-Day Vulnerability (CVE-2026-6973) Actively Exploited

Ivanti customers are once again under attack, this time via a newly disclosed zero-day vulnerability in the company’s Endpoint Manager Mobile (EPMM) product. The flaw, tracked as CVE-2026-6973, is an improper input validation defect that enables authenticated users with administrative privileges to execute arbitrary code remotely.

The company issued a security advisory on Thursday, revealing that attackers have already exploited the vulnerability in limited attacks. Ivanti also disclosed four additional high-severity vulnerabilities in the same product, though these have not been exploited in the wild at this time.

Ivanti’s Response and Patch Release

In response to the threat, Ivanti released patches for all five vulnerabilities on the same day as the advisory. The patched vulnerabilities include:

• CVE-2026-5787
• CVE-2026-5788
• CVE-2026-6973
• CVE-2026-7821

A spokesperson for Ivanti stated,

"At the time of disclosure, Ivanti is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement."

The company did not disclose when the first exploitation occurred or the number of impacted customers. However, the Cybersecurity and Infrastructure Security Agency (CISA) added the zero-day to its Known Exploited Vulnerabilities Catalog within hours of Ivanti’s disclosure.

Discovery and Root Causes

Ivanti attributed the discovery of these vulnerabilities to internal detection processes, advanced AI, customer collaboration, and responsible disclosure. Notably, one of the defects was reported by a former employee.

The company suggested that the latest zero-day may be linked to lingering risks from two previously exploited critical zero-days:

• CVE-2026-1281
• CVE-2026-1340

These earlier vulnerabilities were exploited starting in late January, leading to widespread fallout. By early February, nearly 100 victims were affected, including the Dutch Data Protection Authority and the Council for the Judiciary in the Netherlands.

Ivanti emphasized that customers who followed its January recommendation to rotate EPMM credentials are at significantly reduced risk. The company added,

"Customers unaffected by the prior vulnerability are also at a much lower risk."

Expert Analysis on the Zero-Day Threat

Caitlin Condon, Vice President of Security Research at VulnCheck, analyzed the implications of CVE-2026-6973. She noted that the requirement for administrative privileges suggests the flaw may have been exploited as part of a larger attack chain. Condon stated,

"No attribution was shared on threat actor exploitation of CVE-2026-6973, but two other 2026 CVEs in Ivanti EPMM — CVE-2026-1281 and CVE-2026-1340 — have been exploited by a range of threat actors, including China- and Iran-attributed groups."

She further explained,

"Those vulnerabilities notably were code-injection vulnerabilities that were remotely exploitable without authentication, unlike CVE-2026-6973. Both CVE-2026-1281 and CVE-2026-1340 appear to have been fixed in today’s Ivanti release. Comparatively, these earlier vulns were of higher initial concern than today’s fresh zero-day vulnerability, which requires admin authentication."

Ongoing Challenges for Ivanti Customers

This latest zero-day attack underscores the recurring security challenges faced by Ivanti customers and security practitioners. The company has been plagued by vulnerabilities that attackers have exploited before Ivanti could address them, highlighting the persistent risks in the network edge space.