The Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity Ivanti Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, giving federal civilian branch agencies until May 10 to fix the flaw.The vulnerability, tracked as CVE-2026-6973, is an improper input validation flaw in Ivanti EPMM. This flaw could enable a remotely authenticated user with administrative privileges to execute arbitrary code.CVE-2026-6973 has a CVSS score of 7.2 and affects EPMM versions prior to 12.6.1.1, 12.7.0.1 and 12.8.0.1. Ivanti said in an advisory Thursday that a “very limited number of customers” have been affected by exploitation of the zero-day.“Successful exploitation requires Admin authentication. If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced,” the company stated.Federal agencies have until May 10, 2026, to resolve the vulnerability, with CISA stating, “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”CVE-2026-1281 and CVE-2026-1340 are two critical vulnerabilities in Ivanti EPMM which were disclosed in January 2026 and could lead to unauthenticated remote code execution (RCE). CVE-2026-1281 was added to the KEV catalog on Jan. 29, 2026, and CVE-2026-1340 was added on April 8. Both have a CVSS score of 9.8.The critical flaws were suspected to be involved in attacks on the Dutch Data Protection Authority and Judicial Council and the European Commission in early February; around the same time, Palo Alto Networks reported a widespread surge in attacks involving the flaws, targeting several critical infrastructure sectors across the United States, Germany, Australia and Canada.Upgrading to versions 12.6.1.1, 12.7.01 and 12.8.01 resolves CVE-2026-6973 as well as CVE-2026-1281 and CVE-2026-1340. The previous two vulnerabilities were also given similarly short 3-day patch deadlines by CISA.CISA typically gives federal agencies between two to three weeks to patch vulnerabilities added to the KEV catalog unless there is an elevated risk. Earlier this week, Reuters reported that CISA was considering shortening the average deadline to three days in response to AI advancements such as the release of Claude Mythos.
Vulnerability Management, Patch/Configuration Management, Government security
Federal agencies ordered to patch Ivanti EPMM zero-day in 3 days
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds