INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

U.S. CISA Adds Known Exploited Vulnerability in Ivanti EPMM

| 2026-05-07 18:03 CRITICAL HIGH
JSON
Executive Summary AI-generated
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in Ivanti Endpoint Manager Mobile, allowing attackers with admin privileges to execute arbitrary code on systems running the software. The flaw is caused by improper input validation, which enables exploitation of four other high-severity vulnerabilities that can be used for various malicious operations such as gaining administrative access, impersonating registered Sentry hosts and obtaining valid CA-signed client certificates, invoking arbitrary methods, and accessing restricted information.
Technical Mitigations AI-generated
* Implement input validation checks: Ensure that all user inputs, especially those related to system configuration or data entry, are validated and sanitized before being processed. This can help prevent exploitation of the Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerability. * Use secure authentication mechanisms: Implement strong authentication protocols, such as multi-factor authentication (MFA), to ensure that only authorized users can access systems running EPMM 12.8.0.0 and earlier. * Regularly update and patch software: Keep all system components, including Ivanti Endpoint Manager Mobile, up-to-date with the latest security patches and updates to prevent exploitation of known vulnerabilities like CVE-2026-6973. * Monitor for suspicious activity: Regularly monitor system logs and network traffic for signs of unauthorized access or malicious activity. This can help identify potential threats before they escalate into full-blown attacks. * Implement least privilege access control: Limit user privileges to only what is necessary for their role, reducing the attack surface by minimizing the number of accounts with admin rights that could be exploited in a zero-day attack.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-5786CVE-2026-5786 CVE-2026-5787CVE-2026-5787 CVE-2026-1340CVE-2026-1340 CVE-2026-5788CVE-2026-5788 CVE-2026-6973CVE-2026-6973 CVE-2026-1281CVE-2026-1281 CVE-2026-7821CVE-2026-7821
Target & Sectors
EUROPE EUROPE NORTH_AMERICA NORTH_AMERICA
Incident Timeline
‎2026/05/07
Ivanti patched four high-severity vulnerabilities in its Endpoint Manager Mobile (EPMM) software.
infrastructure Ivanti
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
" "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the company added today .
tactic Impersonate
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
vulnerability CVE-2026-5786
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
vulnerability CVE-2026-5787
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
vulnerability CVE-2026-5788
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
vulnerability CVE-2026-7821
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
organisation CVE-2026
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
general_metric 5788 other severity EPMM vulnerabilities
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
organisation Endpoint
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
tactic Remote Code Execution
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
organisation CVE-2026-6973
" "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the company added today .
vulnerability CVE-2026-1281
" "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the company added today .
vulnerability CVE-2026-1340
" "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the company added today .
‎2026/05/07
Ivanti Endpoint Manager Mobile (EPMM) has a flaw in its 12.8.0 and earlier versions that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems, according to the U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog.
infrastructure Ivanti
U.S. CISA adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a flaw in the Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS score of 7.1), to its  Known Exploited Vulnerabilities (KEV) catalog .
Ivanti warns customers of a high‑severity zero‑day vulnerability, tracked as CVE‑2026‑6973, in Endpoint Manager Mobile that is already being exploited.
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability.
The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
In total, CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, 12 of which were also abused by various ransomware operations.
Ivanti warns of new EPMM flaw exploited in zero-day attacks.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
" Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints  exposed online, most of them from Europe (508) and North America (182).
In January, Ivanti disclosed two other critical EPMM code-injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) that were exploited in zero-day attacks affecting a "very limited number of customers.
Multiple other Ivanti EPMM zero-days have been exploited in attacks in recent years to breach a wide range of targets, including government agencies worldwide.
Ivanti provides IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide.
infrastructure 7.1
U.S. CISA adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a flaw in the Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS score of 7.1), to its  Known Exploited Vulnerabilities (KEV) catalog .
organisation Endpoint
Ivanti warns customers of a high‑severity zero‑day vulnerability, tracked as CVE‑2026‑6973, in Endpoint Manager Mobile that is already being exploited.
infrastructure 12.8.0
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
The flaw, caused by improper input validation, allows attackers with admin privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier.
infrastructure 12.6.1
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
infrastructure 12.7.0
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
organisation Ivanti Neurons
The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
organisation MDM
The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
organisation EPM
The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
organisation Ivanti Sentry
The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
organisation EPMM
Ivanti warns of new EPMM flaw exploited in zero-day attacks.
organisation IP
" Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints  exposed online, most of them from Europe (508) and North America (182).
infrastructure 850 IP addresses
" Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints  exposed online, most of them from Europe (508) and North America (182).
financial 508 Europe
" Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints  exposed online, most of them from Europe (508) and North America (182).
victims 40,000 customers
Ivanti provides IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide.
organisation Improper Input Validation
The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
organisation Apple Device Enrollment
However, the company said it has no evidence that these flaws have been exploited in the wild and noted that CVE-2026-7821 (which can be exploited by attackers without privileges) affects only users who use and have configured Apple Device Enrollment.
‎May 10, 2026
Threat actors exploited a flaw in Ivanti Endpoint Manager Mobile (EPMM) to target U.S. federal agencies, which CISA ordered the affected systems to be fixed by May 10, 2026.
‎May 12
Threat actors exploited a flaw in Ivanti Endpoint Manager Mobile (EPMM) to target the U.S. Computer Security Incident Response Agency (CISA).
organisation the Autonomous Validation Summit
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
general_metric 14 May
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
Tactical Metrics
Metrics
infrastructure
‎Ivanti
Affected Product
U.S. CISA adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog.
U.S. CISA adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a flaw in the Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS score of 7.1), to its  Known Exploited Vulnerabilities (KEV) catalog .
Ivanti warns customers of a high‑severity zero‑day vulnerability, tracked as CVE‑2026‑6973, in Endpoint Manager Mobile that is already being exploited.
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability.
The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
In total, CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, 12 of which were also abused by various ransomware operations.
Ivanti warns of new EPMM flaw exploited in zero-day attacks.
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
" Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints  exposed online, most of them from Europe (508) and North America (182).
In January, Ivanti disclosed two other critical EPMM code-injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) that were exploited in zero-day attacks affecting a "very limited number of customers.
" "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the company added today .
Multiple other Ivanti EPMM zero-days have been exploited in attacks in recent years to breach a wide range of targets, including government agencies worldwide.
Ivanti provides IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide.
Metrics
infrastructure
‎7.1
Software Version
U.S. CISA adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  added  a flaw in the Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS score of 7.1), to its  Known Exploited Vulnerabilities (KEV) catalog .
Metrics
infrastructure
‎12.8.0
Software Version
The flaw, caused by improper input validation, allows attackers with admin privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier.
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability.
The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
Metrics
infrastructure
‎12.6.1
Software Version
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
Metrics
infrastructure
‎12.7.0
Software Version
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
Metrics
infrastructure
850
Ip Addresses
" Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints  exposed online, most of them from Europe (508) and North America (182).
Metrics
financial
508
Europe
" Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints  exposed online, most of them from Europe (508) and North America (182).
Metrics
victims
40,000
Customers
Ivanti provides IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide.
Intelligence Sources
Security Affairs 2026-05-07
BleepingComputer 2026-05-07