VYPR
kevPublished May 8, 2026· Updated May 17, 2026· 3 sources

CISA Mandates Urgent Patching for Ivanti EPMM Zero-Day Vulnerability

CISA has mandated that federal agencies patch a high-severity zero-day vulnerability in Ivanti Endpoint Manager Mobile by May 10 following reports of active exploitation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency mandate requiring federal civilian agencies to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that is currently being exploited in the wild BleepingComputer. Agencies have been given until midnight on Sunday, May 10, to apply the necessary patches to their systems BleepingComputer.

The vulnerability, tracked as CVE-2026-6973, stems from improper input validation within the EPMM software Help Net Security. This flaw allows an attacker who has already obtained administrative privileges to execute arbitrary code remotely on affected systems BleepingComputer. While the exploit requires prior administrative access, Ivanti has confirmed that a "very limited number of customers" have already been compromised using this method BleepingComputer Help Net Security.

Ivanti has released security updates to address the flaw, which affects EPMM versions 12.8.0.0 and earlier BleepingComputer. Organizations are urged to upgrade to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1 immediately BleepingComputer. In addition to patching, the vendor strongly recommends that administrators review all accounts with administrative rights and rotate their credentials to mitigate the risk of unauthorized access BleepingComputer Help Net Security.

The impact of this vulnerability is limited to on-premises EPMM deployments; Ivanti Neurons for MDM, Ivanti EPM, and Ivanti Sentry are not affected by this specific flaw BleepingComputer. However, because Sentry appliances rely on EPMM configurations, Ivanti advises that customers also review the security of their Sentry appliances during the remediation process Help Net Security. According to the nonprofit security organization Shadowserver, there are currently over 800 Ivanti EPMM appliances exposed to the public internet BleepingComputer.

Alongside the fix for the zero-day, Ivanti also patched four other high-severity vulnerabilities in EPMM, including issues related to improper access control and certificate management Help Net Security. While these additional flaws are not currently known to be under active exploitation, they present significant security risks, such as the potential for unauthenticated attackers to obtain valid client certificates or enroll unauthorized devices Help Net Security.

This incident marks the latest in a series of security challenges for Ivanti’s mobile management products. Earlier this year, the company addressed two other critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were linked to attacks against high-profile government entities, including the European Commission and Finland’s central government ICT service center Help Net Security. CISA has formally added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing that such flaws are frequent attack vectors that pose a substantial risk to the federal enterprise CISA.

Synthesized by Vypr AI