A critical new vulnerability has been discovered in Ivant i Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, and is reportedly already being actively exploited by security researchers.
The vulnerability, identified as CVE-2026-6973 , allows remote attackers to execute arbitrary code without prior authentication, quickly becoming a high-priority threat for organizations and entities using the mobile device management platform.
The issue was revealed by The Hacker News and directly affects servers running EPMM (Enterprise Post and Message Management) that are exposed to the internet, and are used by organizations to manage smartphones, tablets, and corporate devices.
According to the report, the vulnerability stems from a flaw related to the insecure processing of requests within certain components of the system. An attacker can send specially crafted requests to execute remote commands on the affected server, potentially gaining complete control over the compromised environment.
The most concerning aspect for experts is that the exploitation does not require valid credentials. This means that an external attacker could compromise a vulnerable server simply by having network access to the exposed service.
Researchers also indicate that real exploitation attempts have already been observed on the internet, significantly increasing the urgency to implement mitigation and security updates.
Ivanti confirmed the issue and released patches for affected versions of EPMM. The company recommended that administrators immediately update their systems and review potential indicators of compromise in publicly exposed environments.
The company also noted that the incident is being monitored alongside external investigators and incident response organizations.
Over the past few years, Ivanti has become a frequent target of sophisticated cyberattacks. Various criminal groups and state-sponsored actors have exploited vulnerabilities in VPN, gateway, and enterprise management tools developed by the company.
Security experts warn that platforms like EPMM represent particularly attractive targets because they typically operate with high privileges within corporate networks and manage large quantities of corporate mobile devices.
An attacker who manages to compromise this type of infrastructure could:
- gain access to managed devices
- Steal corporate credentials.
- intercepting internal communications
- deploy malware
- - to move laterally within the corporate network.
Furthermore, MDM (Mobile Device Management) systems are often integrated with critical services such as Active Directory, corporate email, and internal authentication platforms, further increasing the potential impact of a breach.
The situation once again highlights a recurring problem in the corporate cybersecurity ecosystem: remote administration and corporate access systems continue to be among the most exploited vectors by sophisticated attackers.
Experts recommend that affected organizations:
- apply Ivanti's published patches immediately
- limit public exposure of EPMM servers
- review logs for suspicious activity
- weak administrative credentials,
- Monitor access attempts from unknown IP addresses.
The speed with which this vulnerability transitioned from being discovered to being actively exploited once again demonstrates how the response time for companies is continuously decreasing in the modern threat landscape.
In a context where attackers automate scans and new critical vulnerabilities emerge rapidly, delaying security updates, even by a few hours, can become a significant risk for organizations exposed to the internet.
The Hacker News – Ivanti EPMM CVE-2026-6973 Remote Code Execution Under Active Exploitation