Ivanti Releases Patch for EPMM Zero‑Day CVE‑2026‑6973 Exploited in Attacks

Ivanti has issued an emergency patch for a critical zero‑day vulnerability in its Endpoint Manager Mobile (EPMM) platform, tracked as CVE‑2026‑6973. The flaw, rated 9.1 on the CVSS v3.1 scale, resides in the admin console’s API endpoint that fails to properly sanitize user‑supplied input, enabling an authenticated administrator to execute arbitrary operating‑system commands on the underlying server. Security researchers first identified the issue after observing targeted exploitation attempts against several organizations in the government and defense sectors.

The attacks have been linked to an advanced persistent threat (APT) actor, tentatively designated as UNC2442, which leveraged the vulnerability to gain initial access, escalate privileges and deploy a lightweight backdoor for long‑term presence. According to a joint advisory from Ivanti and Mandiant, the adversaries used spear‑phishing lures disguised as mobile‑device‑management (MDM) configuration files to obtain admin credentials, then issued crafted API calls that injected malicious payloads directly into the EPMM backend. The campaign’s indicators of compromise (IOCs) include anomalous outbound HTTPS traffic to an IP address in the 185.220.101/24 range and the presence of a digitally signed DLL named "CoreService.dll" on compromised servers.

Ivanti has released version 22.7.2 of EPMM, which remediates CVE‑2026‑6973 by implementing stricter input validation and hardening the API authentication mechanism. Administrators are urged to update immediately and to review the official security advisory (Ivanti‑SA‑2026‑001) for full patch instructions. As a precautionary measure, the company recommends restricting the admin interface to trusted IP subnets, enabling multi‑factor authentication for all administrative accounts, and enabling detailed audit logging to detect any attempts to exploit the previously vulnerable endpoint.

Organizations that cannot apply the patch right away should consider temporary mitigations such as disabling the vulnerable API route, implementing network‑level segmentation, and monitoring for the YARA rules published by the Ivanti Threat Intelligence team. CISA has also added CVE‑2026‑6973 to its Known Exploited Vulnerabilities catalog, urging federal agencies to remediate the flaw by the end of the month. Security teams should audit their EPMM installations for signs of the Indicators of Compromise and report any suspicious activity to Ivanti support or the appropriate national CERT.