Ivanti has published an urgent notice about a new security failure in its on-premises mobile device manager, Endpoint Manager Mobile (EPMM), identified as CVE-2026-6973 with a CVSS score of 7.2, which has already been exploited in a very limited number of incidents in real environments, according to the company itself. Vulnerability is a problem of Insufficient input validation which, in the presence of administrative credentials, allows the remote execution of code; Ivanti warns that the operation requires authentication with administrative privileges, so the exposure depends both on the presence of the vulnerable version and on the control of access to the administrative accounts.
In addition to CVE-2026-6973, Ivanti has corrected four additional EPMM on-premises failures that deserve immediate attention: CVE-2026-5786(administrative access by incorrect access control), CVE-2026-5787(validation of certificates allowing impersonation and obtaining of certificates signed by the CA), CVE-2026-5788(arbitrary invocation of methods by an unauthenticated attacker) and CVE-2026-7821(unauthorised registration of devices and filtering of application information). The set includes failures that do not require prior authentication, which puts them in a high priority position for mitigation.
The US government has reacted including the failure in the Known Exploited Vulnerabilities, KEV, of the CISA, which forces the civil federal agencies to apply the corrections by 10 May 2026. This inclusion highlights the operational risk and the need to prioritize patch deployments, not only in government environments but also in companies that handle critical corporate mobile devices.
Ivanti indicates that the corrections are included in the versions 12.6.1.1, 12.7.0.1 and 12.8.0.1 of EPMM; if your installation is in previous versions, the most urgent action is to plan and execute the update to these or higher versions. Since vulnerabilities affect only the on-premises version of EPMM and not Ivanti Neurons for MDM (cloud) or other Ivanti products, it is crucial to identify precisely what instance is in production before making technical decisions.
If your organization has already been notified or suspected of a previous operation (e.g. for incidents related to CVE-2026-1281 or CVE-2026-1340), Ivanti recommends that administrative credentials have been rotated; this rotation significantly reduces the risk area compared to CVE-2026-6973. In addition, a forensic review of administrative access log, verify integrity of binaries and configurations, and search for compromise indicators related to the issue or unusual use of certificates and with unauthorised device inscriptions.
In practice, immediate measures are to apply the official patch, rotate administrative and service credentials, force the revocation and reissue of affected certificates if appropriate, and restrict access to the EPMM management interface through network segmentation, administration VPNs and access control lists. Activate multi-factor authentication in the accounts with privileges and increase the level of monitoring around management endpoints: seek administrative access after hours, changes in abnormal TLS registration and traffic templates that may indicate Sentry impersonation or certification attempts.
From an operational and governance point of view, coordinate with your security team, the supplier and third parties that manage mobile devices to ensure that updates are deployed in a controlled manner and that backup and rollback plans are in place. See the manufacturer's technical note and advice for specific update instructions, and contrast to public reference sources such as the CISA catalogue and the NVD database for monitoring CVE inputs and public telemetry: Ivanti's safety notices and the file of the CISA in the KEV catalogue mentioned above, as well as the NVD page for each CVE ( CVE-2026-6973 in NVD).
In short, treat these corrections as priorities: update EPMM on-premises to parcheed versions, rote administrative credentials, strengthen access controls and review records for suspicious activity. The combination of technical patches and detection / containment measures significantly reduces the likelihood that an explosion observed in nature will have a real impact on its organization.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...