CISA gives feds four days to patch Ivanti flaw exploited as zero-day
Source: Bleeping Computer
Overview
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies four days to secure their networks against a high‑severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that is being exploited as a zero‑day.
Vulnerability Details (CVE‑2026‑6973)
- Affected product: Ivanti Endpoint Manager Mobile (EPMM) 12.8.0.0 and earlier
- Impact: Allows attackers with administrative privileges to execute arbitrary code remotely.
- Exploit status: Actively exploited in the wild; limited exploitation reported at the time of disclosure.
Ivanti’s Advisory
In a Thursday security advisory, Ivanti recommended the following actions:
- Patch versions: Install Ivanti EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1.
- Credential hygiene: Review accounts with admin rights and rotate those credentials where necessary.
“At the time of disclosure, we are aware of very limited exploitation of CVE‑2026‑6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today.” – Ivanti blog
Ivanti clarified that the issue only affects the on‑prem EPMM product and is not present in:
- Ivanti Neurons for MDM (cloud‑based UEM)
- Ivanti EPM (different product)
- Ivanti Sentry
- Any other Ivanti products
Exposure Landscape
Shadowserver tracks over 800 Ivanti EPMM appliances exposed online. The exact number of appliances already patched for CVE‑2026‑6973 is unknown.
.png)
Ivanti EPMM appliances exposed online (Shadowserver)
CISA Action
On Thursday, CISA added CVE‑2026‑6973 to its Known Exploited Vulnerabilities Catalog and mandated that federal agencies patch their EPMM systems by midnight Sunday, May 10.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” – CISA
Related Vulnerabilities
- CVE‑2026‑1281 and CVE‑2026‑1340 – Two other critical EPMM flaws patched in January 2026, also exploited in zero‑day attacks.
- CISA previously gave agencies four days to remediate CVE‑2026‑1340 (see the April 8 advisory).
Ivanti noted that organizations that followed the January recommendation to rotate credentials after CVE‑2026‑1281 and CVE‑2026‑1340 would see a significantly reduced risk of exploitation from CVE‑2026‑6973.
Ivanti’s Market Presence
Ivanti provides IT asset management solutions to over 40,000 clients worldwide, supported by a network of more than 7,000 partners.
References
- Ivanti security advisory
- CISA vulnerability catalog entry
- Shadowserver exposure data
- Earlier Ivanti EPMM zero‑day coverage
- CISA April 8 advisory