# Ivanti Releases Critical Patch for Exploited Zero-Day Vulnerability

*Published May 11, 2026*
*Source: [https://www.securityweek.com/ivanti-patches-epmm-zero-day-exploited-in-targeted-attacks/](https://www.securityweek.com/ivanti-patches-epmm-zero-day-exploited-in-targeted-attacks/)*

## Executive Summary

Ivanti has released a security patch for a zero-day vulnerability in its Endpoint Manager Mobile product, which has been exploited in targeted attacks. Organizations are urged to apply the patch immediately to prevent unauthorized access and potential remote code execution.

## Article

Ivanti has issued crucial security updates for its Endpoint Manager Mobile (EPMM) product, addressing five vulnerabilities, including a zero-day flaw that has already been exploited in targeted attacks. The vulnerability, identified as CVE-2026-6973, is a high-severity issue related to improper input validation. It can be manipulated by an authenticated attacker with administrative rights to execute remote code. Ivanti has acknowledged that only a limited number of customers have been targeted by this exploit.

The vulnerability CVE-2026-6973 could potentially be combined with previously identified vulnerabilities CVE-2026-1281 and CVE-2026-1340, which facilitate unauthenticated remote code execution, allowing attackers to take full control of the affected mobile device management infrastructure. While Ivanti has not disclosed detailed information about the attacks using CVE-2026-6973, security experts often suspect Chinese state actors in such zero-day exploitations.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to mitigate this vulnerability by May 10. Although Ivanti's latest patch addresses other vulnerabilities, none of the additional flaws appear to have been exploited in the wild.

Organizations using Ivanti's EPMM should apply the security patches immediately to protect against potential exploitation. Ivanti had previously advised customers in January to rotate credentials if they were affected by CVE-2026-1281 or CVE-2026-1340, which significantly reduces the risk from CVE-2026-6973.
