Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks

Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks

Briefly

"The exploited flaw, tracked as CVE-2026-6973, is a high-severity improper input validation issue that can be exploited by an authenticated attacker with admin privileges for remote code execution."

"Ivanti says it's aware of a "very limited number of customers" being targeted in attacks exploiting CVE-2026-6973. "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the vendor noted in its advisory."

"Based on this information, CVE-2026-6973 may have been chained with CVE-2026-1281 or CVE-2026-1340, which allow unauthenticated remote code execution, enabling an attacker to gain complete control of the targeted MDM infrastructure. CVE-2026-1281 and CVE-2026-1340 were initially also leveraged in targeted zero-day attacks, but exploitation surged shortly after their disclosure."

"CISA added CVE-2026-6973 to its KEV catalog on Thursday, instructing federal agencies to address it by May 10. CISA's KEV list currently includes 34 Ivanti product vulnerabilities. Ivanti pointed out in its advisory that the remaining vulnerabilities patched with the latest EPMM updates do not appear to have been exploited in the wild."