The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS score of 7.1), to its Known Exploited Vulnerabilities (KEV) catalog.

Ivanti warns customers of a high‑severity zero‑day vulnerability, tracked as CVE‑2026‑6973, in Endpoint Manager Mobile that is already being exploited.

“At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation.” reads the advisory. “We are not aware of any customers being exploited by the other vulnerabilities disclosed today.”

The flaw, caused by improper input validation, allows attackers with admin privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier. Customers are urged to patch immediately to prevent compromise.

Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability. The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 10, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

The post CISA Warning: Critical Ivanti EPMM Code Injection Vulnerability Under Active Attack appeared first on Daily CyberSecurity.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti EPMM to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Ivanti EPMM, tracked as CVE-2026-1340 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog.

The critical vulnerability is a code injection in Ivanti Endpoint Manager Mobile that allows attackers to achieve unauthenticated remote code execution. 

Below is the list of affected versions:

The software firm is aware of attacks in the wild exploiting this flaw.

“We are aware of a very limited number of customers who have been exploited at the time of disclosure. However, a POC was made available by a third party shortly after disclosure.” warns the company. “We urge all customers to apply the patch as soon as possible and run the Exploitation Detection RPM package as a tool to assist in identifying potential compromise.”

The company released a new RPM detection tool that helps customers check for possible exploitation by scanning for known indicators and generating logs for review. Any suspicious activity before patching may indicate compromise and requires investigation, while alerts after patching are likely just harmless scanning attempts.

The company pointed out that running the RPM tool alone doesn’t guarantee the appliance is clean. It helps detect known indicators of compromise, but absence of findings isn’t proof of safety. Results should be reviewed with the security team and combined with other analysis and tools.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by April 11, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Dutch agencies confirmed attacks exploiting Ivanti EPMM flaws that exposed employee contact data at the data protection authority and courts.

Dutch authorities said cyberattacks hit the Dutch Data Protection Authority and the Council for the Judiciary after hackers exploited newly disclosed flaws in Ivanti Endpoint Manager Mobile (EPMM). The incidents were reported to parliament, and the National Cyber Security Center was alerted on January 29 after the vendor disclosed the vulnerabilities. EPMM manages mobile devices, apps, and security, and the attacks exposed employee contact information.

“State Secretary Rutte (JenV) and State Secretary Van Marum (BZK) informed the House of Representatives about the exploitation of a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) at the Dutch Data Protection Authority (AP) and the Judicial Council (Rvdr). EPMM is a system for managing mobile devices, apps, and content, including their security.” reads the advisory. “On 29 January the National Cyber Security Centre (NCSC) was informed by the supplier of vulnerabilities in EPMM. EPMM is used to manage mobile devices, apps and content, including their security. Based on the information known at this moment, I can report that at least the AP and the Rvdr have been affected. “

Attackers accessed work-related contact details of AP staff, including names, work emails, and phone numbers. Authorities quickly took action, informed affected employees, and reported the incident. The NCSC continues to monitor the issue and assess any wider impact across government systems.

“It is now known that work‑related data of AP employees, such as name, business e‑mail address and telephone number, have been accessed by unauthorised parties.” continues the advisory. “As soon as the incident was discovered, measures were taken immediately. In addition, the employees of the AP and the Rvdr were informed.”

This week, the European Commission announced it is investigating a cyberattack on its mobile device management platform after detecting intrusion traces. Attackers may have accessed some staff data, including names and phone numbers, but so far they have not compromised any devices.

On 30 January, the European Commission detected a cyberattack on its mobile device management system. The organization pointed out that no mobile devices were compromised. The Commission contained and cleaned the system within nine hours. It continues to monitor security, strengthen cybersecurity, and review the incident to improve protections, reflecting its commitment to safeguarding EU systems amid ongoing cyber threats to critical services and institutions.

“On 30 January, the European Commission’s central infrastructure managing mobile devices identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members.” reads the advisory. “The Commission’s swift response ensured the incident was contained and the system cleaned within 9 hours. No compromise of mobile devices was detected.”

The Commission has not revealed how the threat actors accessed the mobile device management platform.

The European Computer Emergency Response Team (CERT-EU) is investigating the security breach.

Attackers could use the stolen data to launch targeted vishing and phishing attacks by impersonating colleagues or officials to steal credentials. The stolen data enables reconnaissance for spear phishing or physical targeting of key personnel. Finally, GDPR violations and reputational damage undermine the Union’s cyber credibility.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti EPMM)