IVANTI published its May 2026 security updates for Endpoint Manager Mobile (EPMM) to address five vulnerabilities, including a zero-day that has been exploited in targeted attacks. The exploited flaw, tracked as CVE-2026-6973, is a high-severity improper input validation issue that can be exploited by an authenticated attacker with admin privileges for remote code execution.
Ivanti says it is aware of a “very limited number of customers” being targeted in attacks exploiting CVE-2026-6973, and notes that rotating credentials, as recommended in January for CVE-2026-1281 and CVE-2026-1340, reduces the risk of exploitation from CVE-2026-6973. Based on this information, CVE-2026-6973 may have been chained with CVE-2026-1281 or CVE-2026-1340, which allow unauthenticated remote code execution and could give an attacker control of the targeted MDM infrastructure.
CVE-2026-1281 and CVE-2026-1340 were initially leveraged in targeted zero-day attacks, with exploitation surging after their disclosure, according to SecurityWeek. CISA added CVE-2026-6973 to its KEV catalog, instructing federal agencies to address it by 10 May, while Ivanti notes the remaining patched vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788 and CVE-2026-7821) do not appear to have been exploited in the wild.