Ivanti EPMM – Misryoum reports Ivanti has patched a new EPMM remote code execution zero-day and urges admin credential review.
A newly disclosed zero-day is putting Ivanti Endpoint Manager Mobile (EPMM) users on alert, with Ivanti warning customers to patch a critical remote code execution flaw before attackers weaponize it further.
Misryoum reports the vulnerability is tracked as CVE-2026-6973 and is tied to improper input validation. Ivanti says remote attackers can execute arbitrary code on systems running EPMM 12.8.0.0 and earlier, but exploitation requires administrative privileges.
This kind of requirement matters: it narrows the pool of attackers who can immediately benefit. yet it does not make the risk harmless.. In real incidents. privileged access is often the end result of another compromise. meaning organizations that treat “admin-only” flaws as low priority may still get hit.
Ivanti’s guidance is straightforward.. The company advises customers to update to Ivanti EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1 to address the issue.. It also recommends reviewing accounts with Admin rights and rotating credentials where necessary. especially for environments where privilege access may have been exposed.
Misryoum notes that Ivanti states exploitation at the time of disclosure appears limited. while the company has not found evidence that other vulnerabilities it disclosed in the same period are being abused by customers.. Ivanti also emphasizes that the problem affects the on-prem EPMM product and does not impact its cloud-based unified endpoint management offering or several other related products.
Meanwhile, the attack surface is still worth paying attention to.. Misryoum reports that internet-facing exposure of EPMM fingerprints has been observed online. with many systems identified across Europe and North America.. Even without certainty about patch coverage, this visibility can help attackers find targets quickly once exploitation becomes more common.
In addition to CVE-2026-6973. Ivanti patched four other high-severity EPMM issues affecting admin access and certificate-related abuse paths. along with problems that could enable method invocation and access to restricted information.. Ivanti says it has no evidence these additional flaws are exploited in the wild. and it also points out that one issue. CVE-2026-7821. is linked to environments using Apple Device Enrollment.
This is a classic reminder that endpoint management software is part of a security foundation, not an optional layer.. When flaws land in widely deployed tooling. organizations that patch promptly. tighten admin access. and validate credential hygiene can meaningfully reduce the odds of turning a limited incident into a wider breach.
Misryoum adds that Ivanti previously disclosed other EPMM code-injection vulnerabilities that were reportedly exploited by a very limited number of customers.. Ivanti says credential rotation advice given back then can significantly reduce exposure tied to the newly disclosed zero-day.. The message now is consistent: update, review privilege, and be ready to act quickly when new exploitation guidance appears.