Ivanti on Thursday published its May 2026 security updates for the Endpoint Manager Mobile (EPMM) product to address five vulnerabilities, including a zero-day exploited in targeted attacks.
The exploited flaw, tracked as CVE-2026-6973, is a high-severity improper input validation issue that can be exploited by an authenticated attacker with admin privileges for remote code execution.
Ivanti says it’s aware of a “very limited number of customers” being targeted in attacks exploiting CVE-2026-6973.
“If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced,” the vendor noted in its advisory.
Based on this information, CVE-2026-6973 may have been chained with CVE-2026-1281 or CVE-2026-1340, which allow unauthenticated remote code execution, enabling an attacker to gain complete control of the targeted MDM infrastructure.
CVE-2026-1281 and CVE-2026-1340 were initially also leveraged in targeted zero-day attacks, but exploitation surged shortly after their disclosure.
Ivanti has not shared any other information on the attacks involving CVE-2026-6973. However, it’s worth noting that Chinese threat actors are often believed to be behind zero-day attacks targeting Ivanti product flaws.
CISA added CVE-2026-6973 to its KEV catalog on Thursday, instructing federal agencies to address it by May 10. CISA’s KEV list currently includes 34 Ivanti product vulnerabilities.
Ivanti pointed out in its advisory that the remaining vulnerabilities patched with the latest EPMM updates do not appear to have been exploited in the wild.
These security holes are tracked as CVE-2026-5786, CVE-2026-5787, CVE-2026-5788 and CVE-2026-7821, and they can be exploited for privilege escalation, obtaining client certificates, invoking arbitrary methods, and information disclosure.
Related: Two Vulnerabilities Patched in Ivanti Neurons for ITSM
Related: Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities
Related: Ivanti Patches Endpoint Manager Vulnerabilities Disclosed in October 2025
