Ivanti EPMM Zero-Day Exploited in the Wild—CISA Sets May 10 Deadline

Ivanti has disclosed a high-severity vulnerability in its Endpoint Manager Mobile (EPMM) product that attackers are already exploiting in targeted attacks. The flaw, tracked as CVE-2026-6973, carries a CVSS score of 7.2 and enables remote code execution for authenticated administrators.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) moved quickly, adding CVE-2026-6973 to its Known Exploited Vulnerabilities catalog on May 7 and setting a remediation deadline of May 10, 2026—giving federal agencies just three days to patch.

What Makes This Dangerous

The vulnerability stems from improper input validation in EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. While successful exploitation requires administrative credentials, that's cold comfort for organizations where admin accounts have already been compromised through phishing or credential stuffing.

Ivanti confirmed "a very limited number of customers" have been hit but declined to share details about the attackers or their objectives. The company hasn't attributed the exploitation to any specific threat group.

The Credential Rotation Factor

Here's where prior incident response pays off: organizations that rotated credentials following January's CVE-2026-1281 and CVE-2026-1340 disclosures have substantially reduced their exposure. Attackers relying on previously stolen admin credentials would find them useless.

But if you skipped that step—or if your admin credentials were compromised more recently—you're in the crosshairs.

Four More EPMM Flaws Patched

Ivanti simultaneously fixed four additional high-severity vulnerabilities in EPMM:

• CVE-2026-5786 (CVSS 8.9) - Enables attackers to gain admin access
• CVE-2026-5787 (CVSS 8.2) - Allows impersonation of registered Sentry hosts to obtain CA-signed client certificates
• CVE-2026-5788 (CVSS 7.5) - Permits invocation of arbitrary methods
• CVE-2026-7821 (CVSS 7.0) - Exposes access to restricted information

Ivanti says there's no evidence these four are being exploited in the wild—yet.

Only On-Premises Deployments Affected

The silver lining: this batch of vulnerabilities only affects on-premises EPMM installations. Ivanti Neurons for MDM (the cloud-based offering), Ivanti EPM, Ivanti Sentry, and other products remain unaffected.

This pattern mirrors what we've seen with other Palo Alto zero-days and similar enterprise software—on-prem deployments consistently lag in patching, making them attractive targets for both opportunistic and targeted attacks.

Why This Matters

Ivanti products have been under sustained pressure from attackers over the past two years. The company's VPN appliances, cloud services, and now mobile device management platforms have all seen active exploitation of zero-days. For organizations running EPMM on-premises, this should trigger an immediate patching cycle.

The two-day CISA deadline is unusually aggressive, reflecting the agency's assessment that exploitation will scale rapidly. Mobile device management platforms are particularly sensitive targets—they hold the keys to every enrolled device in your organization.

Recommended Actions

1. Patch immediately - Upgrade to EPMM versions 12.6.1.1, 12.7.0.1, or 12.8.0.1
2. Rotate admin credentials - If you haven't done so since January, now is the time
3. Audit admin account activity - Look for anomalous logins or configuration changes
4. Review MDM enrollment logs - Check for unauthorized device enrollments
5. Monitor for IOCs - Watch for unusual outbound connections from EPMM servers

Organizations still running legacy mobile device management platforms should consider this another data point in the migration decision. Cloud-based MDM eliminates the patching burden—and the exposure window—that makes on-prem deployments attractive targets.