Ivanti has issued an urgent warning and patches for a remote execution vulnerability of high-gravity code in its on-premises Endpoint Manager Mobile (EPMM) product, registered as CVE-2026-6973. According to the company's note, the failure is the result of a incorrect input validation that allows an attacker with administrative credentials to run arbitrary code in EPMM facilities version 12.8.0.0 and above, and exploitation has already been detected in zero-day attacks, although Ivanti speaks of very limited use in nature.
Ivanti publishes the versions that correct the problem: EPMM 12.6.1.1, 12.7.0.1 and 12.8.0.1 and further recommends reviewing and rotating credentials with administrative privileges. The update only affects the product on-premises EPMM and, according to the company, No. is present in Ivanti Neurons for MDM (cloud solution), or in other products such as Ivanti EPM or Ivanti Sentry. The official release contains the details and links for download and mitigation: https: / / www.ivanti.com / blog / may-2026-epmm-security-update.
The operational landscape exacerbates the urgency: tracking projects like Shadowserver detect more than 850 public IP addresses with Ivanti EPMM prints exposed on the Internet, concentrated mainly in Europe and North America. There is no reliable public visibility of how many of these bodies have already applied patches, so it is reasonable to assume that a significant proportion remains vulnerable. The real-time detection map is available on the Shadowserver panel: https: / / dashboard.Shadowserver.org /....
This patch is published along with corrections for four other high-gravity vulnerabilities in EPMM (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788 and CVE-2026-7821) which, in different scenarios, allow from the acquisition of administrative privileges to the supplanting of Sentry hosts and access to restricted information. Ivanti has not found public evidence of exploitation of these other failures, although he warns that CVE-2026-7821 can be exploited without privileges in environments with Apple Device Enrollment configured.
The recent history adds context: Ivanti had already patched in January two other critical vulnerabilities in EPMM (CVE-2026-1281 and CVE-2026-1340) used in targeted attacks against a limited number of customers, and the US Infrastructure and Cybersecurity Agency. USA (CISA) has included multiple Ivanti failures in its catalogue of vulnerabilities exploited in nature. CISA maintains a record of known exploited vulnerabilities that includes numerous VHCs associated with Ivanti: https: / / www.cisa.gov / knowledge-exploited-vulnerabilities-catalog.
What Security Teams Should Do Now: First, prioritize the immediate installation of the patches indicated by Ivanti in any affected on-premises EPMM and verify versions after the update. If for operational reasons it is not possible to park immediately, apply temporary mitigation such as blocking external access to the EPMM server management port from the Internet and restricting management access through access control lists (ACL) and VPNs of administration. Review and rotate administrative credentials, enable multifactor authentication where possible and limit administrative privileges to ephemeral use accounts.
The detection and hunting of intruders should focus on several fronts: looking for evidence of creation or use of anomalous administrative accounts, reviewing the management log for unusual command or charge executions, auditioning registered Sentry certificates and hosts, and checking integrity of binaries and configurations. If your organization was affected by the vulnerabilities of January and followed the recommendation to rotate credentials, this will reduce the risk against CVE-2026-6973, as Ivanti points out; yet technical confirmation through forensic analysis is still necessary.
Beyond the immediate patch, organizations should rethink the exposure position: avoid exposing management consoles to the Internet, segmenting management networks, applying identity-based access controls and minimum privilege, and strengthening patch management processes and regression tests to reduce the exposure window to future zero-days. Considering migration to cloud-managed solutions or architectures with additional controls can mitigate the operational risk associated with critical on-premises products.
Finally, document the incident in your risk inventory, inform relevant stakeholders and, if you detect signs of commitment, coordinate the response with your incident team and, if necessary, with local regulatory authorities. For organizations that manage many endpoints with EPMM, establishing an accelerated patch policy and recovery exercises will help prevent such a vulnerability from resulting in a major incident or abuse by Ransomware actors.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...