Ivanti and ConnectWise Patch Actively Exploited and Critical Enterprise Management Flaws
Ivanti released fixes for a newly disclosed high-severity flaw in its on-premises Endpoint Manager Mobile (EPMM) platform, tracked as CVE-2026-6973, after confirming limited zero-day exploitation. The vulnerability is caused by improper input validation and can lead to arbitrary code execution when a remote attacker already has administrator-level access. Ivanti said the issue affects EPMM 12.8.0.0 and earlier and issued patched versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, while urging customers to review privileged accounts and rotate credentials. The disclosure adds to a longer pattern of Ivanti security incidents: CISA previously warned that CVE-2023-35082, a critical authentication bypass flaw in Ivanti EPMM and MobileIron Core, was being actively exploited to gain unauthenticated API access, expose user data, and potentially backdoor servers when chained with other vulnerabilities.
ConnectWise also disclosed a critical vulnerability in ConnectWise Automate, tracked as CVE-2026-9089, affecting versions prior to 2026.5. The flaw, classified as CWE-494, stems from insufficient integrity verification during plugin loading and self-update operations and could allow malicious code execution on client machines during agent updates under specific network conditions. ConnectWise assigned the issue a CVSS score of 8.8, automatically updated cloud deployments, and instructed on-premises customers to manually upgrade to version 2026.5; Canada’s Cyber Centre separately urged administrators to apply the vendor update. The disclosures highlight continued risk across widely deployed enterprise management platforms, with internet exposure data showing hundreds of Ivanti EPMM systems and broad operational dependence on remote monitoring and mobile device management software.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Ivanti discloses four additional high-severity EPMM flaws
Alongside CVE-2026-6973, Ivanti disclosed four more high-severity vulnerabilities affecting EPMM. Ivanti said it had not observed active exploitation of those additional flaws.
Ivanti patches new EPMM zero-day CVE-2026-6973
Ivanti released security updates for CVE-2026-6973, a high-severity improper input validation flaw in on-premises EPMM that had seen limited zero-day exploitation. The company issued patched versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 and advised customers to review privileged accounts and rotate credentials.
Canadian Centre for Cyber Security issues ConnectWise advisory
Canada's Cyber Centre published advisory AV26-496 urging administrators to review ConnectWise's security information and apply the ConnectWise Automate 2026.5 update. The notice highlighted that versions prior to 2026.5 are affected.
CVE record for ConnectWise Automate flaw is published
The CVE-2026-9089 record was published with a description, CWE-494 classification, CVSS details, and a vendor reference. The entry identified ConnectWise Automate 2026.5 as the remediation.
ConnectWise publishes advisory and fixes CVE-2026-9089 in Automate 2026.5
On May 21, 2026, ConnectWise disclosed CVE-2026-9089, a critical flaw in ConnectWise Automate involving insufficient integrity verification during plugin loading and self-update operations. The company said the issue affects versions prior to 2026.5, automatically updated cloud deployments, and required on-premises customers to upgrade manually.
ConnectWise releases Automate 2026.4 security fix bulletin
ConnectWise published a security bulletin for ConnectWise Automate 2026.4 on April 20, 2026. This is an earlier, separate vendor security update from the later 2026.5 bulletin tied to CVE-2026-9089.
CISA warns CVE-2023-35082 is actively exploited
CISA said CVE-2023-35082 was under active exploitation and added it to the Known Exploited Vulnerabilities Catalog. The agency ordered U.S. federal civilian agencies to remediate affected systems by February 2, 2024 under Binding Operational Directive 22-01.
Ivanti patches CVE-2023-35082 in EPMM and MobileIron Core
Ivanti released fixes for CVE-2023-35082 in August 2023. The vulnerability could also help attackers backdoor compromised servers when chained with other flaws.
Rapid7 reports Ivanti EPMM auth bypass flaw to Ivanti
Rapid7 discovered and reported CVE-2023-35082, a critical authentication bypass vulnerability affecting Ivanti Endpoint Manager Mobile and MobileIron Core. The flaw allows unauthenticated remote API access and exposure of mobile users' personally identifiable information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
ConnectWise Automate Vulnerability: CVE-2026-9089 Fixed
securityonline.info
Open sourceIvanti Patches New EPMM Vulnerability Linked to Active Zero-Day Exploitation - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceConnectWise security advisory (AV26-496) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-9089 - ConnectWise Automate Agent Unvalidated Component Loading and Update Vulnerability
cvefeed.io
Open sourceConnectWise Automate™ 2026.4 Security Fix | ConnectWise
connectwise.com
Open sourceCISA: Critical Ivanti auth bypass bug now actively exploited
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti EPMM Flaws Enabled Zero-Day Intrusions and Remote Code Execution
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, was found to contain multiple serious vulnerabilities that enabled unauthorized access, data exposure, and server compromise. The most prominent flaws, `CVE-2023-35078` and `CVE-2023-35081`, were patched by Ivanti in July 2023 after disclosure that attackers had exploited them against Norwegian organizations and a government agency. `CVE-2023-35078` is a critical authentication bypass affecting internet-facing API paths, while `CVE-2023-35081` is a directory traversal issue that can let an authenticated administrator write arbitrary files, including webshells; CISA added both to its Known Exploited Vulnerabilities catalog and urged immediate patching and compromise assessment. Subsequent reporting and vendor disclosures showed the exposure was broader than initially understood. Rapid7 highlighted `CVE-2023-35078` as a critical API access flaw, while Ivanti later disclosed `CVE-2023-35082`, saying additional exploitation paths meant all supported EPMM 11.10, 11.9, and 11.8 versions, along with older MobileIron Core releases, were affected depending on configuration. A joint CISA and NCSC-NO advisory said APT actors used the bugs from at least April through July 2023, leveraging compromised SOHO routers as proxies, deleting Apache logs with a malicious `mi.war` Tomcat application, conducting LDAP reconnaissance, and likely pivoting through Ivanti Sentry toward internal Exchange systems. More recent dCERT advisories indicate Ivanti EPMM continues to face multiple vulnerabilities, including issues that may allow code execution.
May 25, 2026
Ivanti EPMM Zero-Day CVE-2026-6973 Exploited via Stolen Admin Credentials
Ivanti disclosed active exploitation of **CVE-2026-6973**, a high-severity improper input validation flaw in on-premises **Endpoint Manager Mobile (EPMM)** that allows remote code execution when used with administrator authentication. The company said exploitation has been limited to a small number of customers and assessed with high confidence that attackers are using administrator credentials stolen during earlier January attacks involving **CVE-2026-1281** and **CVE-2026-1340**. Affected versions are EPMM releases prior to **12.6.1.1**, **12.7.0.1**, and **12.8.0.1**; Ivanti said **Neurons for MDM**, **EPM**, **Sentry**, and other products are not affected. Ivanti also patched four additional high-severity EPMM flaws—**CVE-2026-5786**, **CVE-2026-5787**, **CVE-2026-5788**, and **CVE-2026-7821**—covering certificate validation and access-control weaknesses that could enable host impersonation, unauthorized access, arbitrary method invocation, and unauthorized device enrollment, though the vendor said it has no evidence those bugs were exploited. **CISA** added CVE-2026-6973 to its **Known Exploited Vulnerabilities** catalog and ordered U.S. federal agencies to remediate by **May 10, 2026**, while national cyber agencies in Canada and Finland urged immediate patching. Ivanti advised customers to rotate EPMM administrator credentials, review privileged accounts, hunt for compromise artifacts such as webshells and reverse shells, and reduce public exposure of management interfaces; internet scans have identified more than **850** exposed EPMM instances, mainly in Europe and North America.
May 10, 2026
Critical Ivanti EPMM RCE Flaws Exploited to Compromise On-Premises Servers
Ivanti warned that its on-premises **Endpoint Manager Mobile (EPMM)** product contains two critical vulnerabilities, **`CVE-2026-1281`** and **`CVE-2026-1340`**, that can let an unauthenticated remote attacker execute arbitrary commands or code over the network. The flaws affect exposed EPMM servers and create a path to full server compromise and possible lateral movement into internal environments. Ivanti said its cloud offerings, including **Ivanti Neurons for MDM**, and the separate **Ivanti Endpoint Manager (EPM)** product are not affected, and it released patches, incident-response guidance, and a detection tool to help customers assess exposure and compromise. Follow-up advisories said the vulnerabilities are being **actively exploited**, prompting defenders to inspect EPMM systems for anomalous logs, unauthorized administrator-account changes, and suspicious device-configuration modifications. A later update citing Germany's **BSI** said exploitation may date back to **summer 2025**, expanding the scope of required forensic review beyond recent activity. Public reporting from security researchers, including Palo Alto Networks Unit 42 and vulnerability tracking sources, reinforced that the issue is an unauthenticated remote code execution risk requiring immediate patching and retrospective compromise hunting on affected on-premises deployments.
May 25, 2026