Ivanti EPMM Zero-Day Under Active Exploit — Patch Now, Rotate Admin Credentials

Ivanti has shipped fixes for a new zero-day in its on-prem Endpoint Manager Mobile (EPMM) product, CVE-2026-6973, that is already being exploited in the wild. The flaw lets a remote authenticated user with admin privileges run arbitrary code on the EPMM appliance, and Ivanti has confirmed it’s been used in targeted attacks. As reported by Help Net Security, CISA added it to the Known Exploited Vulnerabilities catalogue and gave US federal agencies just three days — the deadline lapsed yesterday.

This is the fifth EPMM zero-day in six months. Earlier flaws (CVE-2026-1281 and CVE-2026-1340) were used to drop sleeper webshells inside the European Commission, the Dutch Data Protection Authority and Finland’s central government ICT service. If you didn’t rotate admin credentials after that round of patches in January, an attacker who picked them up then can chain straight into this new bug. The risk concentrates on Australian organisations running on-prem EPMM to manage staff phones — common in financial services, healthcare and government. Cloud Ivanti Neurons for MDM is not affected.

What to do today. Upgrade EPMM to 12.6.1.1, 12.7.0.1 or 12.8.0.1, whichever fixed branch you’re on. Audit every account that holds admin rights on the EPMM console and rotate those credentials — even ones that look untouched. Review your Sentry appliance configuration at the same time, because EPMM compromise can pivot through it. Ivanti has stated there are no reliable atomic indicators of compromise for this CVE, so assume nothing and treat exposed appliances as suspect until proven clean.

If you’re not sure whether this affects you, your IT provider should be able to confirm in minutes. Our team handles Ivanti and other endpoint platforms across our managed IT clients — if you’d like a second set of eyes on your EPMM posture, get in touch.