Under Active Attack: Ivanti EPMM Zero-Day Exploited in the Wild via Harvested Admin Credentials
Ddos 
Ivanti has issued an urgent security advisory for its Endpoint Manager Mobile (EPMM) platform, formerly known as MobileIron Core, following the discovery of several high-severity vulnerabilities. Most concerningly, the company has confirmed that at least one of these flaws is already being leveraged by threat actors in active attacks.
The advisory details five high-severity security holes that could allow attackers to compromise mobile device management infrastructure.
The primary focus of the advisory is CVE-2026-6973, a vulnerability that Ivanti confirms has seen “a very limited number of customers exploited” in real-world scenarios.
While successful exploitation of this specific flaw requires Admin authentication, Ivanti highlights a critical link to previous security incidents. The advisory notes,Β “If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced”.
This connection suggests that attackers may be using credentials harvested during earlier breaches to fuel this current wave of exploitation.
While most of the newly disclosed flaws require some level of access, CVE-2026-7821 stands out as a high-severity threat that can be triggered by an unauthenticated attacker.
However, Ivanti clarifies that the risk is environment-specific: “While CVE-2026-7821 is unauthenticated, if customers have not configured and are not using Apple Device Enrollment they are not at risk from this vulnerability”.
For organizations that do rely on Appleβs automated enrollment services, this represents a significant open door that requires immediate patching.
Ivanti strongly recommends that all customers review accounts with administrative rights and rotate those credentials immediately, especially if they have not done so since the beginning of the year.
To fully remediate these vulnerabilities, administrators must update to one of the following fixed releases:
- 12.6.1.1
- 12.7.0.1
- 12.8.0.1
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
