Ivanti CVE-2026-6973 Added to CISA KEV Under Active Exploitation
CISA added one Ivanti vulnerability — CVE-2026-6973 — to its Known Exploited Vulnerabilities catalog, confirming the flaw is being actively exploited in the wild.
Key findings
- CISA added Ivanti CVE-2026-6973 to the KEV catalog on May 7, 2026, confirming active exploitation.
- The vulnerability affects an Ivanti product; full technical details are pending coordinated disclosure.
- No ransomware association has been confirmed for CVE-2026-6973 at this time.
- Federal agencies must remediate by May 28, 2026, under BOD 22-01; private sector urged to follow suit.
- Defenders should inventory Ivanti assets, apply patches, and implement compensating controls where patching is delayed.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a single Ivanti vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 7, 2026, confirming active exploitation in the wild. The flaw, tracked as CVE-2026-6973, marks the latest entry in a string of Ivanti security issues that have drawn urgent attention from federal agencies and enterprise defenders alike.
CVE-2026-6973 is a newly disclosed vulnerability affecting an Ivanti product. While full technical details remain under restricted disclosure as vendors and researchers coordinate patches, CISA's addition to the KEV catalog signals that threat actors are already leveraging the flaw in real-world attacks. The vulnerability has been assigned a CVE identifier but additional metadata — including CVSS severity, attack complexity, and the specific Ivanti product line impacted — is expected to be published as the coordinated disclosure process unfolds.
The KEV listing carries a binding operational directive (BOD 22-01) remediation deadline for U.S. federal civilian executive branch agencies. Under the directive, agencies must apply vendor-supplied mitigations or remove the affected product from agency networks by the due date — typically three weeks from the KEV addition. For CVE-2026-6973, that deadline falls on May 28, 2026. Private-sector organizations are strongly encouraged to follow the same timeline.
CISA has not associated CVE-2026-6973 with any known ransomware campaigns at this time. However, the active exploitation confirmation alone warrants immediate prioritization. Ivanti products — including remote access gateways, endpoint management platforms, and mobile device management solutions — are widely deployed across government and enterprise environments, making any actively exploited flaw in the vendor's portfolio a significant concern.
Defenders should immediately inventory all Ivanti assets in their environments, check for available patches or mitigation guidance from Ivanti's security advisory portal, and apply updates as soon as feasible. Organizations unable to patch immediately should implement compensating controls such as network segmentation, strict access controls, and heightened monitoring of Ivanti-facing interfaces. Threat-hunting teams should review logs for indicators of compromise associated with CVE-2026-6973 as detection guidance becomes available.