A critical security vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) software is currently under active exploitation in limited cyberattacks, according to a warning issued by the company this week. The flaw allows a remote, authenticated attacker to gain administrative-level control over affected systems.
Identified as CVE-2026-6973, the vulnerability carries a high severity score of 7.2 on the Common Vulnerability Scoring System (CVSS). It is classified as an improper input validation error present in EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti has confirmed that the flaw exists in the software’s handling of certain user-supplied data, which can be exploited to achieve remote code execution (RCE).
Remote code execution refers to an attacker’s ability to run arbitrary commands or malicious code on a target system from a remote location. In this specific case, the exploitation requires the attacker to first have valid administrative credentials for the EPMM system. Once authenticated, the attacker can elevate their privileges or execute commands with full system administrator rights.
Nature of the Exploit
Ivanti’s advisory states that CVE-2026-6973 affects the Ivanti EPMM product, a widely used enterprise mobility management platform that helps organizations manage and secure mobile devices. The vulnerability was discovered in a core component responsible for input processing, where the system fails to properly validate or sanitize data provided by an already authenticated user. This oversight can allow the injection of malicious code that the system then executes.
According to Ivanti, the company is aware of limited, targeted exploitation of this vulnerability in real-world attacks. The company has not disclosed the identity of the threat actors or the specific industries targeted, but it has urged all customers to apply available patches immediately.
Affected Versions and Patches
The following versions of Ivanti EPMM are confirmed to be vulnerable: all releases before version 12.6.1.1, before version 12.7.0.1, and before version 12.8.0.1. Ivanti has released security updates for these affected branches. Users running older or unsupported versions are advised to upgrade to a supported and patched release as soon as possible.
Ivanti has not provided details on any temporary workarounds for organizations unable to immediately patch. The company recommends that administrators review system logs for signs of unauthorized access or unusual activity, particularly in environments where administrative accounts may have been compromised.
Context and Implications
The active exploitation of this vulnerability underscores ongoing risks faced by enterprise mobility management systems, which are increasingly targeted because they hold access to sensitive corporate data and device management capabilities. An attacker gaining full administrative access to an EPMM instance could push malicious configurations, deploy malware, or exfiltrate data managed by the platform.
This is not the first high-profile vulnerability in Ivanti’s product suite in recent months. The company has faced scrutiny over a series of zero-day flaws in its VPN and mobile management products, with attackers often combining privilege escalation bugs with remote code execution flaws to compromise networks. Security experts have previously noted that flaws requiring authentication, like CVE-2026-6973, are frequently exploited in conjunction with credential theft or brute-force attacks.
Ivanti has recommended that all customers enforce strong multi-factor authentication (MFA) on administrative accounts, limit the number of privileged users, and monitor network traffic to the EPMM console for anomalous behavior. The company is continuing its investigation into the attacks and has promised to provide updates if new information becomes available.
The disclosure of this vulnerability comes as cybersecurity agencies globally, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have added similar Ivanti flaws to their Known Exploited Vulnerabilities catalog in the past. Industry watchers expect this CVE to be added to such lists shortly due to the confirmed active exploitation.
Organizations using affected versions of Ivanti EPMM should prioritize patching as a critical security measure. The patch can be obtained through Ivanti’s customer support portal or automated update mechanisms. Given the administrative access granted to attackers upon successful exploitation, the risks to enterprise data integrity and network security are considered substantial.
Source: Delimiter Online
