Ivanti warns of new EPMM flaw exploited in zero-day attacks

Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks

Ivanti has issued a critical advisory regarding a newly discovered vulnerability in its Endpoint Manager Mobile (EPMM) software, which is currently being exploited in zero-day attacks. This flaw, identified as CVE-2026-6973, poses a significant risk due to its potential for remote code execution.

What Happened

The vulnerability arises from improper input validation, allowing remote attackers with administrative privileges to execute arbitrary code on systems running EPMM versions 12.8.0.0 and earlier. Ivanti has confirmed that the flaw is being actively exploited, although it has reported that exploitation appears to be limited at this time.

In response to this threat, Ivanti has recommended that customers upgrade to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1 to mitigate the risk associated with this vulnerability. Additionally, the company advises organizations to review and rotate administrative credentials as a precautionary measure.

Why It Matters

This vulnerability is particularly concerning due to the nature of remote code execution, which can allow attackers to gain full control over affected systems. The fact that exploitation requires administrative access adds a layer of complexity, but it also underscores the importance of securing administrative accounts. Organizations must remain vigilant, especially since Ivanti's advisory indicates that over 850 IP addresses with EPMM fingerprints are currently exposed online.

Moreover, Ivanti has also patched four additional high-severity vulnerabilities in EPMM that could allow attackers to gain administrative access and impersonate legitimate devices. Although these vulnerabilities have not been reported as actively exploited, their existence highlights the ongoing security challenges faced by organizations using this software.

Affected Users or Organizations

The vulnerabilities primarily affect users of the on-premises EPMM product. Notably, Ivanti's cloud-based solutions, such as Ivanti Neurons for MDM and Ivanti EPM, are not impacted. Organizations utilizing EPMM must take immediate action to safeguard their systems, particularly those in regions where exposed IP addresses are prevalent, such as Europe and North America.

Recommended Actions

• Upgrade Software: Immediately update to Ivanti EPMM versions 12.6.1.1, 12.7.0.1, or 12.8.0.1.
• Review Administrative Accounts: Conduct a thorough review of accounts with administrative privileges and rotate credentials as necessary.
• Monitor Network Traffic: Keep an eye on network traffic for any unusual activity that may indicate exploitation attempts.
• Implement Security Best Practices: Ensure that all security measures, including firewalls and intrusion detection systems, are in place and properly configured.

As the situation evolves, organizations are encouraged to stay informed about further updates from Ivanti and to prioritize their cybersecurity posture to mitigate potential risks.