Ivanti EPMM Zero-Day (CVE-2026-6973) Actively Exploited — CISA Orders Emergency Patching by May 10

Ivanti has released emergency patches for its Endpoint Manager Mobile (EPMM) product, addressing five vulnerabilities — including CVE-2026-6973, a high-severity zero-day that is being actively exploited in targeted attacks. The flaw is an improper input validation issue that allows authenticated attackers with admin privileges to achieve remote code execution.

CISA has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies remediate it by May 10, 2026 — an unusually tight deadline. Ivanti noted that the risk is “significantly reduced” for customers who rotated credentials following the exploitation of two earlier zero-days (CVE-2026-1281 and CVE-2026-1340) in January, suggesting the new flaw may be chained with those previous vulnerabilities for unauthenticated access.

Ivanti has not attributed the attacks, though SecurityWeek notes that Chinese state-sponsored threat actors are frequently behind zero-day exploitation of Ivanti products. The CISA KEV catalog now includes 34 Ivanti product vulnerabilities.

Source

SecurityWeek · Help Net Security · CISA Advisory

Commentary

Ivanti’s track record at this point is a case study in security debt. Thirty-four entries in CISA’s KEV catalog is a staggering number for a single vendor, and the pattern of chained zero-days exploited by state-sponsored actors suggests persistent, deep access to these products. If you’re running Ivanti EPMM and haven’t rotated credentials since January, treat this as a full compromise investigation — not just a patching exercise.

The two-day CISA remediation deadline tells you everything about the severity. Federal agencies have until Saturday. Everyone else should be moving just as fast.