Ivanti has addressed five vulnerabilities in Endpoint Manager Mobile (EPMM). One of them, CVE-2026-6973, is being actively exploited by attackers with admin privileges. The Dutch NCSC has set the advisory to “high” priority and expects proof-of-concept code to appear soon, increasing the risk of widespread exploitation.
Ivanti reports that the exploitation affected only a small number of users. Customers who already updated their login credentials in January are at significantly lower risk.
In addition to CVE-2026-6973, four other vulnerabilities have been patched. CVE-2026-5786 allows an authenticated attacker to gain administrative access. More dangerous are the three vulnerabilities that do not require authentication. CVE-2026-5788 enables unauthenticated remote code execution. CVE-2026-5787 allows an attacker to impersonate a registered Sentry system to obtain CA-signed client certificates. CVE-2026-7821 provides access to sensitive data by registering a device with a set of unregistered devices.
PoC code expected, large-scale abuse looms
The NCSC expects Proof-of-Concept code to become publicly available in the near future, which significantly increases the risk of widespread abuse. Previously, following an incident in January 2026, the NCSC had already advised Dutch organizations using EPMM to adopt an “assume breach” scenario. Organizations are strongly advised to install the available patches.
In February 2026, the Dutch Judiciary was hit by an Ivanti breach that temporarily prevented employees from accessing applications on mobile devices. Shortly thereafter, the Judicial Institutions Service was also affected by a cyber incident that exploited a vulnerability in EPMM.