The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in zero-day attacks.
Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier.
In a Thursday security advisory, Ivanti told customers they can secure their appliances by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advised them to review accounts with Admin rights and rotate those credentials where necessary.
“At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today,” it said.
“The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.”
Nonprofit security organization Shadowserver now tracks over 800 Ivanti EPMM appliances exposed online. However, there is no information on how many have already been patched against the CVE-2026-6973 vulnerability.
.png)
On Thursday, CISA added the security flaw to its list of vulnerabilities exploited in attacks and mandated that federal agencies patch their EPMM systems by midnight Sunday, May 10.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.
In late January, Ivanti patched two other critical EPMM security issues (CVE-2026-1281 and CVE-2026-1340) that were exploited in zero-day attacks affecting a “very limited number of customers.” On April 8, CISA also gave U.S. government agencies four days to secure their systems against attacks targeting the CVE-2026-1340 flaw.
“If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced,” the company noted on Thursday.
Ivanti provides IT asset management solutions to over 40,000 clients worldwide, supported by an extensive network of over 7,000 partners.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
