Ivanti on Thursday revealed its Could 2026 security updates for the Endpoint Supervisor Cell (EPMM) product to deal with 5 vulnerabilities, together with a zero-day exploited in focused assaults.
The exploited flaw, tracked as CVE-2026-6973, is a high-severity improper enter validation situation that may be exploited by an authenticated attacker with admin privileges for distant code execution.
Ivanti says it’s conscious of a “very restricted variety of prospects” being focused in assaults exploiting CVE-2026-6973.
“If prospects adopted Ivanti’s advice in January to rotate credentials when you have been exploited with CVE-2026-1281 and CVE-2026-1340, then your threat of exploitation from CVE-2026-6973 is considerably decreased,” the seller famous in its advisory.
Primarily based on this data, CVE-2026-6973 might have been chained with CVE-2026-1281 or CVE-2026-1340, which permit unauthenticated distant code execution, enabling an attacker to realize full management of the focused MDM infrastructure.
CVE-2026-1281 and CVE-2026-1340 have been initially additionally leveraged in focused zero-day assaults, however exploitation surged shortly after their disclosure.
Ivanti has not shared another data on the assaults involving CVE-2026-6973. Nevertheless, it’s price noting that Chinese language menace actors are sometimes believed to be behind zero-day assaults focusing on Ivanti product flaws.
CISA added CVE-2026-6973 to its KEV catalog on Thursday, instructing federal companies to deal with it by Could 10. CISA’s KEV checklist at the moment contains 34 Ivanti product vulnerabilities.
Ivanti identified in its advisory that the remaining vulnerabilities patched with the most recent EPMM updates don’t seem to have been exploited within the wild.
These security holes are tracked as CVE-2026-5786, CVE-2026-5787, CVE-2026-5788 and CVE-2026-7821, and they are often exploited for privilege escalation, acquiring consumer certificates, invoking arbitrary strategies, and data disclosure.
