**Ivanti** has issued a critical warning to its customers, advising them to patch a high-severity remote code execution (RCE) vulnerability, **CVE-2026-6973**, affecting **Endpoint Manager Mobile (EPMM)**. This flaw is currently being exploited in zero-day attacks. ### Technical Details of CVE-2026-6973 The vulnerability stems from an Improper Input Validation weakness, allowing remote attackers with administrative privileges to execute arbitrary code on systems running **EPMM** version 12.8.0.0 and earlier. This highlights the critical need for prompt patching to mitigate potential exploitation. ### Mitigation Steps **Ivanti** advises customers to install the following patched versions of **Ivanti EPMM**: 12.6.1.1, 12.7.0.1, and 12.8.0.1. Additionally, the company recommends a thorough review of all accounts with administrative rights and a rotation of credentials where necessary. This proactive approach can significantly reduce the risk of exploitation. > "At the time of disclosure, we are aware of very limited exploitation of **CVE-2026-6973**, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today," the company said. It's important to note that the vulnerability only affects the on-premise **EPMM** product and is not present in **Ivanti Neurons for MDM**, **Ivanti EPM**, **Ivanti Sentry**, or other **Ivanti** products. ### Exposure and Monitoring **Shadowserver** is currently tracking over 850 IP addresses with **Ivanti EPMM** fingerprints exposed online, with a significant portion located in Europe (508) and North America (182). While this data provides insight into potential exposure, the number of systems already patched against **CVE-2026-6973** remains unknown.  *Ivanti EPMM IPs exposed online (Shadowserver)* ### Additional Vulnerabilities Patched In addition to **CVE-2026-6973**, **Ivanti** has also released patches for four other high-severity **EPMM** vulnerabilities: **CVE-2026-5786**, **CVE-2026-5787**, **CVE-2026-5788**, and **CVE-2026-7821**. These vulnerabilities could allow attackers to gain admin access, impersonate registered Sentry hosts, invoke arbitrary methods, and access restricted information. **Ivanti** stated that there is no evidence of these flaws being exploited in the wild. **CVE-2026-7821** only affects users who utilize and have configured **Apple Device Enrollment**. ### Recent History of Ivanti EPMM Vulnerabilities In January, **Ivanti** disclosed two critical **EPMM** code-injection vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340**, which were exploited in zero-day attacks affecting a limited number of customers. > "If customers followed **Ivanti**'s recommendation in January to rotate credentials if you were exploited with **CVE-2026-1281** and **CVE-2026-1340**, then your risk of exploitation from **CVE-2026-6973** is significantly reduced," the company added. ### CISA Involvement In April, the **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** directed U.S. government agencies to secure their systems against **CVE-2026-1340** attacks within four days, underscoring the severity of these vulnerabilities. Multiple **Ivanti EPMM** zero-days have been exploited in recent years, leading to breaches across various targets, including government agencies worldwide. To date, **CISA** has flagged 33 **Ivanti** vulnerabilities as exploited in the wild, with 12 of these being abused by ransomware operations. **Ivanti** provides IT asset management products to over 40,000 customers globally through a network of more than 7,000 partners. [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)