CISA orders feds to patch exploited Ivanti zero-day in 4 days
▼ Summary
– CISA has given U.S. federal agencies four days to patch the high-severity Ivanti EPMM vulnerability CVE-2026-6973, which has been exploited in zero-day attacks.
– The flaw allows attackers with admin privileges to execute arbitrary code remotely on Ivanti EPMM versions 12.8.0.0 and earlier.
– Ivanti released patches (versions 12.6.1.1, 12.7.0.1, and 12.8.0.1) and recommends reviewing and rotating admin credentials.
– The vulnerability only affects the on-prem EPMM product, not Ivanti’s cloud-based MDM or other products.
– Shadowserver tracks over 800 exposed Ivanti EPMM appliances online, but the number of patched systems is unknown.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive requiring federal agencies to patch a high-severity Ivanti zero-day vulnerability within four days, following confirmed exploitation in active attacks. The flaw, designated CVE-2026-6973, impacts Ivanti Endpoint Manager Mobile (EPMM) and enables attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM version 12.8.0.0 and earlier.
Ivanti released a security advisory on Thursday detailing the issue and urging customers to update to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1. The company also recommended reviewing all accounts with Admin rights and rotating credentials where appropriate. “At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation,” Ivanti stated. “We are not aware of any customers being exploited by the other vulnerabilities disclosed today.” The company clarified that the vulnerability affects only the on-premises EPMM product and does not impact Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or any other Ivanti solutions.
The nonprofit security organization Shadowserver has identified over 800 Ivanti EPMM appliances exposed online, though it remains unclear how many have already been patched. On Thursday, CISA added CVE-2026-6973 to its catalog of exploited vulnerabilities and mandated that federal agencies secure their EPMM systems by midnight Sunday, May 10. “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.
This is not the first time Ivanti EPMM has faced scrutiny. In late January, the company patched two other critical flaws , CVE-2026-1281 and CVE-2026-1340 , that were exploited in zero-day attacks affecting a “very limited number of customers.” On April 8, CISA similarly gave federal agencies four days to address the CVE-2026-1340 vulnerability. Ivanti noted that customers who followed the January recommendation to rotate credentials after exploitation by those earlier flaws would face “significantly reduced” risk from CVE-2026-6973.
Ivanti serves more than 40,000 clients worldwide through a network of over 7,000 partners, providing IT asset management solutions across numerous industries.
(Source: BleepingComputer)
