Originally published by BleepingComputer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in zero-day attacks.
Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier.
In aThursday security advisory, Ivanti told customers they can secure their appliances by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advised them to review accounts with Admin rights and rotate those credentials where necessary.
“At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today,“it said.
“The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.”
Nonprofit security organization Shadowserver now tracksover 800 Ivanti EPMM appliancesexposed online. However, there is no information on how many have already been patched against the CVE-2026-6973 vulnerability.
On Thursday, CISAaddedthe security flaw to itslist of vulnerabilities exploited in attacksand mandated that federal agencies patch their EPMM systems by midnight Sunday, May 10.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.
In late January, Ivanti patchedtwo other critical EPMM security issues(CVE-2026-1281 and CVE-2026-1340) that were exploited in zero-day attacks affecting a “very limited number of customers.” On April 8, CISA also gave U.S. government agencies four days tosecure their systemsagainst attacks targeting the CVE-2026-1340 flaw.
“If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced,“the company noted on Thursday.
Ivanti provides IT asset management solutions to over 40,000 clients worldwide, supported by an extensive network of over 7,000 partners.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Ivanti warns of new EPMM flaw exploited in zero-day attacks
CISA orders feds to patch exploited Ivanti EPMM flaw by Saturday
Ivanti fixes EPMM zero-days chained in code execution attacks
CISA flags Apache ActiveMQ flaw as actively exploited in attacks
Hackers exploiting critical F5 BIG-IP flaw in attacks, patch now
As an Amazon Associate, we earn from qualifying purchases at no extra cost to you.