Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Ivanti EPMM 0-Day Vulnerability Actively Exploited in On-Premises Attacks
Advertisements

Ivanti has released a critical security advisory for its Endpoint Manager Mobile (EPMM) product after confirming that multiple vulnerabilities are being actively exploited in the wild. The company specifically identified CVE-2026-6973 as one of the issues under attack and urged all customers running on-premises EPMM deployments to patch immediately.

According to Ivanti, the problem affects only on-premises EPMM installations. The company states that the issue does not affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management platform, nor Ivanti EPM, Ivanti Sentry, or other Ivanti products. At the time of disclosure, Ivanti described exploitation activity as very limited, but still serious enough to warrant urgent remediation.

What Ivanti Disclosed

Ivanti’s advisory centers on actively exploited vulnerabilities in EPMM, with CVE-2026-6973 specifically confirmed as being abused by attackers. The company noted that this vulnerability requires admin authentication to succeed. Ivanti did not provide further public detail about the exact root cause in the source material, so the underlying cause has not been confirmed in the available information.

The vendor emphasized that the advisory applies only to on-premises EPMM deployments. Organizations using cloud-hosted Ivanti Neurons for MDM are not affected by the disclosed flaws. Ivanti also said that patch packages are designed to take only seconds to apply and do not cause downtime.

Why EPMM Keeps Drawing Attention

Ivanti’s EPMM platform has been repeatedly targeted in prior security incidents, underscoring its value in enterprise mobile device management environments. The source notes that CISA has added at least 31 Ivanti defects to its Known Exploited Vulnerabilities catalog since late 2021, and that at least 19 defects across Ivanti products have been exploited over the past two years.

Previous zero-day activity against EPMM included CVE-2025-4427 and CVE-2025-4428 in May 2025, as well as CVE-2023-35078 and CVE-2023-35082 in 2023. Ivanti said that some of those campaigns were attributed to sophisticated threat groups, though the current advisory does not expand on attribution for the newly disclosed exploitation.

Ivanti’s AI-Assisted Security Approach

In the same disclosure, Ivanti said it has integrated multiple advanced large language model systems into its product security and engineering red team workflows. The company says these AI-assisted processes have helped identify vulnerabilities that traditional static analysis and dynamic analysis tools may miss.

Ivanti also stated that some of the vulnerabilities disclosed in the May 2026 advisory were discovered directly through this process. The company added that it keeps a human in the loop to verify automated and agentic findings before acting on them.

Recommended Mitigations for Administrators

Ivanti is urging all on-premises EPMM administrators to take immediate action. The company’s guidance is straightforward: apply the patch, review access logs, and reduce exposure where possible.

  • Apply the available security patch to all on-premises EPMM instances immediately
  • Monitor Apache access logs at /var/log/httpd/https-access_log for signs of attempted or successful exploitation
  • Restrict administrative interfaces to trusted networks through network segmentation
  • Review and harden mobile device management policies to reduce attack surface
  • Subscribe to Ivanti’s Security Blog and the Ivanti Innovators Hub for vulnerability alerts

Ivanti said the exploit window for newly disclosed vulnerabilities has become much shorter as advanced AI tools spread, shrinking from days to mere hours after public disclosure. The company framed its increased use of AI in security as a transparency and resilience initiative rather than evidence of a weakened security posture.

Conclusion

For now, the key message is simple: on-premises Ivanti EPMM customers should treat this as an urgent patching event. Ivanti has confirmed active exploitation, provided mitigation steps, and stressed that affected administrators should act without delay.

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers at cyberconcise.com cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading