CISA gives feds four days to patch Ivanti flaw exploited as zero-day

Summary

CISA issued an emergency directive requiring U.S. federal agencies to patch CVE-2026-6973, a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) being exploited in active zero-day attacks, by May 10, 2026. The flaw allows attackers with admin privileges to execute arbitrary code remotely on EPMM 12.8.0.0 and earlier. Ivanti disclosed that exploitation has been limited so far and provided patched versions (12.6.1.1, 12.7.0.1, 12.8.0.1), while Shadowserver tracks over 800 exposed EPMM appliances online.

Full text

CISA gives feds four days to patch Ivanti flaw exploited as zero-day By Sergiu Gatlan May 8, 2026 08:16 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in zero-day attacks. Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier. In a Thursday security advisory, Ivanti told customers they can secure their appliances by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advised them to review accounts with Admin rights and rotate those credentials where necessary. "At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today," it said. "The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products." Nonprofit security organization Shadowserver now tracks over 800 Ivanti EPMM appliances exposed online. However, there is no information on how many have already been patched against the CVE-2026-6973 vulnerability. Ivanti EPMM appliances exposed online (Shadowserver) ​​​On Thursday, CISA added the security flaw to its list of vulnerabilities exploited in attacks and mandated that federal agencies patch their EPMM systems by midnight Sunday, May 10. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned. In late January, Ivanti patched two other critical EPMM security issues (CVE-2026-1281 and CVE-2026-1340) that were exploited in zero-day attacks affecting a "very limited number of customers." On April 8, CISA also gave U.S. government agencies four days to secure their systems against attacks targeting the CVE-2026-1340 flaw. "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the company noted on Thursday. Ivanti provides IT asset management solutions to over 40,000 clients worldwide, supported by an extensive network of over 7,000 partners. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Ivanti warns of new EPMM flaw exploited in zero-day attacksCISA orders feds to patch exploited Ivanti EPMM flaw by SaturdayIvanti fixes EPMM zero-days chained in code execution attacksCISA flags Apache ActiveMQ flaw as actively exploited in attacksHackers exploiting critical F5 BIG-IP flaw in attacks, patch now

Indicators of Compromise

• cve — CVE-2026-6973
• cve — CVE-2026-1281
• cve — CVE-2026-1340

Entities