Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label zero day. Show all posts
zero day
CISA EPMM IP Address Ivanti EPM ransomware security flaws vulnerabilities and Exploits zero day

Ivanti Patches New EPMM Vulnerability Linked to Active Zero-Day Exploitation

 



Software provider Ivanti has released security updates for a newly identified vulnerability in its Endpoint Manager Mobile (EPMM) platform after confirming that the flaw has already been used in limited zero-day attacks.

The vulnerability, tracked as CVE-2026-6973, has been classified as high severity. According to Ivanti, the issue is caused by improper input validation, which refers to a weakness in how an application processes and checks incoming data before handling a request. If exploited successfully, the flaw could allow a remote attacker with administrator-level access to run arbitrary code on vulnerable systems.

Ivanti stated that the vulnerability affects EPMM version 12.8.0.0 and earlier releases. To reduce exposure, the company has issued patched versions including EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1. The company is also advising customers to review accounts with administrative privileges and rotate credentials where necessary, particularly in environments where earlier compromise activity may have occurred.

In its advisory, Ivanti said the exploitation activity observed so far appears to be limited in scope and requires valid administrator authentication in order to succeed. The company added that it has not identified active exploitation involving the additional vulnerabilities disclosed alongside CVE-2026-6973.

Ivanti also clarified that the issue impacts only the on-premises version of Endpoint Manager Mobile. The company said the flaw does not affect Ivanti Neurons for MDM, which is its cloud-based endpoint management platform. Other products, including Ivanti EPM and Ivanti Sentry, were also listed as unaffected.

Data published by internet monitoring organization Shadowserver Foundation currently shows more than 850 internet-accessible IP addresses associated with Ivanti EPMM deployments. Most of the exposed systems appear to be located in Europe, followed by North America. However, there is still no public visibility into how many of those servers have already installed the latest patches.

Alongside the actively exploited flaw, Ivanti disclosed fixes for four additional high-severity vulnerabilities identified as CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. According to the company, these flaws could potentially be used to obtain administrator access, impersonate registered Sentry hosts to receive valid certificate authority-signed client certificates, invoke unauthorized methods, or gain access to restricted information stored within affected environments.

The company stated that it currently has no evidence showing these four vulnerabilities have been exploited in real-world attacks. Ivanti also noted that CVE-2026-7821 affects only organizations using Apple Device Enrollment configurations.

The latest disclosure follows earlier security incidents involving Ivanti EPMM earlier this year. In January, the company disclosed two separate code-injection vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, which were also exploited as zero-days against what Ivanti described at the time as a very limited number of customers.

Ivanti now says customers who followed its earlier recommendation to rotate credentials after the January incidents are likely to face a significantly lower risk of exploitation from CVE-2026-6973. The guidance reflects a growing concern within the cybersecurity industry that attackers often attempt to reuse stolen administrative credentials across multiple intrusion campaigns.

The issue also drew attention from the U.S. Cybersecurity and Infrastructure Security Agency earlier this year. In April, the agency instructed federal civilian agencies to secure vulnerable systems against attacks involving CVE-2026-1340 within four days after adding the flaw to its Known Exploited Vulnerabilities catalog.

Ivanti products have repeatedly appeared in incident response investigations over the last several years, particularly because endpoint and device management platforms typically operate with elevated privileges across enterprise networks. Security agencies and researchers have warned that these systems remain attractive targets for threat actors seeking broad administrative control over organizational infrastructure.

According to data previously published by CISA, 33 Ivanti vulnerabilities have been publicly identified as exploited in the wild, including 12 that were also linked to ransomware-related activity.

Ivanti says it currently serves more than 40,000 customers worldwide through a partner network consisting of over 7,000 organizations.

Read more »
Subscribe to: Posts (Atom)