Critical Zero-Day Vulnerabilities in Ivanti EPMM Under Active Exploitation
Ivanti has recently disclosed multiple critical vulnerabilities in its Endpoint Manager Mobile (EPMM) product, including CVE-2026-6973, which are currently being actively exploited. The company urges all on-premises EPMM customers to apply the available patches immediately to mitigate potential risks.
Details of the Vulnerabilities
The identified vulnerabilities, notably CVE-2026-6973, require administrative authentication for exploitation. These flaws are exclusive to the on-premises version of EPMM and do not affect Ivanti’s cloud-based solutions such as Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.
At the time of disclosure, Ivanti reported that the exploitation of these vulnerabilities was very limited. However, the company emphasized that advancements in artificial intelligence have significantly reduced the time between vulnerability disclosure and exploitation, from days to mere hours.
Integration of AI in Security Processes
In response to the evolving threat landscape, Ivanti has integrated advanced large language model (LLM) AI systems into its product security and engineering red team processes. This integration has enhanced the company’s ability to identify and remediate vulnerabilities that traditional static and dynamic analysis tools might overlook. Ivanti maintains a human in the loop policy to verify all AI-generated findings, ensuring responsible use of AI in its security operations.
Historical Context and Previous Exploitations
Ivanti’s EPMM has been a recurring target for sophisticated threat actors. The Cybersecurity and Infrastructure Security Agency (CISA) has listed at least 31 Ivanti vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog since late 2021. Notably, at least 19 vulnerabilities across Ivanti products have been exploited in the past two years.
Previous zero-day campaigns against EPMM include:
– CVE-2025-4427 and CVE-2025-4428 in May 2025
– CVE-2023-35078 and CVE-2023-35082 in 2023
Some of these attacks have been attributed to state-sponsored threat groups, highlighting the high-value position of EPMM in enterprise mobile device management infrastructure.
Mitigation Measures
Ivanti strongly recommends that all on-premises EPMM administrators take the following immediate actions:
– Apply Security Patches: Implement the available security patches to all on-premises EPMM instances without delay.
– Monitor Logs: Regularly review Apache access logs located at `/var/log/httpd/https-access_log` for any signs of attempted or successful exploitation.
– Network Segmentation: Restrict EPMM administrative interfaces to trusted networks only to minimize exposure.
– Policy Review: Assess and strengthen mobile device management policies to reduce the overall attack surface.
– Stay Informed: Subscribe to Ivanti’s Security Blog and the Ivanti Innovators Hub for real-time vulnerability alerts and updates.
Ivanti has provided detailed remediation instructions through its official Security Advisory. The company notes that the patch packages are designed to be applied quickly, causing no downtime, thereby facilitating prompt mitigation of these critical vulnerabilities.
