TL;DR
CISA has issued a four-day deadline for U.S. federal agencies to patch a high-severity Ivanti vulnerability (CVE-2026-6973) exploited in zero-day attacks. Ivanti confirms limited exploitation and provides guidance for mitigation.
CISA has given U.S. federal agencies a strict four-day deadline to patch a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in active zero-day attacks, emphasizing the threat to national cybersecurity.
The vulnerability, identified as CVE-2026-6973, allows attackers with administrative privileges to execute remote arbitrary code on affected systems. Ivanti’s advisory states that the flaw impacts EPMM versions 12.8.0.0 and earlier, and recommends updates to versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 for mitigation. Ivanti reports limited exploitation of this flaw and notes that it requires admin authentication for successful attack. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its list of actively exploited flaws and mandated the patching deadline for federal agencies, citing the high risk posed by such vulnerabilities.
As of now, over 800 Ivanti EPMM appliances are exposed online, according to cybersecurity organization Shadowserver, though it remains unclear how many have been patched against CVE-2026-6973. Ivanti clarified that the flaw affects only on-premises EPMM products, not Ivanti’s cloud-based solutions or other Ivanti products. The agency’s directive underscores the ongoing threat from cyber adversaries exploiting similar vulnerabilities in enterprise software.
Why It Matters
This development highlights the persistent cybersecurity risks associated with enterprise management software like Ivanti EPMM, which, if left unpatched, can serve as an entry point for malicious actors targeting federal networks. The order emphasizes the urgency of timely patching to prevent potential data breaches, system compromises, or further exploitation of the vulnerability.
Manager Patch – 4×1.5 inch – Embroidered Iron on Patch (P6278)
The Patch measures 4×1.5 inch
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Ivanti previously addressed other critical vulnerabilities in January (CVE-2026-1281 and CVE-2026-1340), which were also exploited in zero-day attacks affecting a limited user base. The current vulnerability, CVE-2026-6973, is now actively exploited, prompting CISA’s immediate action. The agency’s recent directives reflect ongoing efforts to mitigate vulnerabilities in enterprise endpoint management tools used across federal agencies, amid a broader landscape of increasing cyber threats.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
— CISA
“At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation.”
— Ivanti
Foundations of Cybersecurity, 2nd Edition: A Straightforward Introduction
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is still unclear how many Ivanti EPMM systems have already been patched against CVE-2026-6973 or are still vulnerable. Details about the scope of exploitation and specific threat actors involved remain limited, and ongoing investigations could reveal more information.
Unified Endpoint Management Tools A Complete Guide – 2019 Edition
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Federal agencies are expected to complete the mandated patching by May 10, 2024. Security researchers and organizations will continue monitoring for signs of exploitation and may issue further guidance or updates as new information emerges. Ivanti is likely to release additional updates or advisories if new developments occur.
Certified Patch Management Associate Patch Plan Official Study Guide
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is CVE-2026-6973?
CVE-2026-6973 is a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows remote code execution with administrative privileges, exploited in recent zero-day attacks.
Why is CISA involved in this vulnerability?
CISA has classified CVE-2026-6973 as actively exploited and issued a directive to federal agencies to patch within four days to prevent potential breaches and mitigate national security risks.
Are all Ivanti products affected?
No, Ivanti states that only the on-premises EPMM versions are affected. Cloud-based solutions and other Ivanti products are not impacted by this specific vulnerability.
What should organizations do now?
Organizations using affected Ivanti EPMM versions should update to the recommended patched versions (12.6.1.1, 12.7.0.1, or 12.8.0.1) immediately and review admin account credentials to reduce risk.
