Ivanti has disclosed a new zero-day vulnerability in its Endpoint Manager Mobile (EPMM) on-premises product, tracked as CVE-2026-6973, and confirmed that the flaw is already being actively exploited in the wild. The disclosure is part of Ivanti’s May 2026 security advisory, which covers multiple vulnerabilities across the EPMM product line — all affecting only on-premises deployments.
What Is CVE-2026-6973?
CVE-2026-6973 is a vulnerability in Ivanti EPMM that requires admin-level authentication to exploit. While authenticated-only flaws are often considered lower risk, Ivanti explicitly confirmed active exploitation at the time of disclosure, underscoring that threat actors already possess the necessary access — or the means to obtain it — to weaponize this flaw in real-world attacks.
Exploitation activity was described as “very limited” at the time of public disclosure, though Ivanti strongly cautioned that advanced AI models have dramatically compressed the time-to-exploit window. What once took threat actors days to develop into a working exploit can now happen in mere hours after a vulnerability becomes public knowledge.
The flaws covered in this advisory exclusively affect the on-premises EPMM product and are not present in Ivanti Neurons for MDM (the cloud-based solution), Ivanti EPM, Ivanti Sentry, or any other Ivanti products.
A Recurring High-Value Target
Ivanti EPMM has a long and well-documented history as a target for sophisticated threat actors. CISA has flagged at least 31 Ivanti defects on its Known Exploited Vulnerabilities (KEV) catalog since late 2021, and at least 19 vulnerabilities across Ivanti products have been exploited in the past two years alone.
Previous zero-day campaigns against EPMM include:
- CVE-2025-4427 and CVE-2025-4428 (May 2025) — actively exploited in the wild
- CVE-2023-35078 and CVE-2023-35082 (2023) — attributed to Chinese state-sponsored threat groups
This consistent targeting reflects EPMM’s high-value position in enterprise mobile device management infrastructure — a single compromised MDM platform can grant attackers policy-level access to thousands of managed endpoints across an organization.
AI-Assisted Vulnerability Discovery
In a notable shift in its vulnerability management strategy, Ivanti disclosed that it has integrated multiple advanced large language model (LLM) AI systems into its product security and engineering red team processes. This AI-assisted approach has enhanced its security teams’ ability to identify vulnerabilities that traditional static analysis (SAST) and dynamic analysis (DAST) tools typically miss.
Ivanti acknowledged that some of the vulnerabilities being disclosed in this advisory were discovered directly through this AI-assisted process. The company maintains a “human in the loop” policy to verify all automated findings before disclosure, ensuring responsible use of AI in its security program.
Ivanti also warned that customers should expect an increase in vulnerability disclosures as AI tooling becomes further embedded in its security processes — framing this transparency as a proactive step toward more resilient products, not a sign of weakening security posture.
Mitigation and Patch Guidance
Ivanti has published detailed remediation instructions through its official Security Advisory, with patch packages the company says take only seconds to apply and cause no downtime. Administrators running on-premises EPMM deployments should take immediate action:
- Apply the patch packages detailed in Ivanti’s May 2026 Security Advisory immediately
- Review admin-level account access and audit recent authentication logs for anomalous activity
- Restrict EPMM admin console access to trusted IP ranges via firewall rules
- Monitor for indicators of compromise including unauthorized MDM profile pushes or configuration changes
- Consider migrating to Ivanti Neurons for MDM (cloud-based) to eliminate on-premises attack surface
Organizations running cloud-based Ivanti Neurons for MDM are not impacted by this advisory and require no action.
Broader Context
The active exploitation of CVE-2026-6973 at the moment of disclosure is a worrying pattern. It suggests threat actors — potentially state-sponsored groups with a historical interest in Ivanti EPMM — had either pre-positioned themselves or were actively monitoring for the disclosure. Enterprise security teams should treat unpatched EPMM instances as actively compromised until patches are applied and a thorough incident response review is conducted.