Risk events that matter to specialty insurance
AI-powered event intelligence with automated detection, classification, and transparent review status
RiskEvents
MonitoringImpact: MediumAI Generated

CISA Mandates Federal Patch of Ivanti EPMM Zero-Day CVE-2026-6973 by 10 May 2026

πŸ‡ΊπŸ‡Έ United States federal agencies and globally exposed Ivanti EPMM on-premises deployments; CISA headquartered in Washington D.C., USA, USFirst detected: 10 May 2026, 22:15Updated: 2d ago2 reports
Cyber
PropertyCyberCasualty & Liability
No analyst brief has been published for this event.
No ground report has been published for this event.

Impact Assessment Rationale

The vulnerability targets US federal agencies and over 800 internet-exposed on-premises EPMM appliances globally, posing significant risk to government and enterprise IT infrastructure. However, exploitation requires admin authentication and has so far been confirmed as very limited, constraining immediate insured loss potential.

View assessment methodology β†’

Loading map...

Geographic Zone Matches

1 active match

  • TRIA Certified Areas
    Rule-basedConfidence 100%

Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.

Summary

CISA has added CVE-2026-6973, a high-severity remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and earlier, to its Known Exploited Vulnerabilities catalogue following confirmed zero-day exploitation. The agency has ordered US federal agencies to apply patches by midnight 10 May 2026. Ivanti has released fixed versions (12.6.1.1, 12.7.0.1, 12.8.0.1) and confirmed exploitation is currently limited, requiring admin authentication. Over 800 Ivanti EPMM appliances remain exposed online according to Shadowserver, with the vulnerability affecting only on-premises deployments.

This summary is AI-generated from linked source reports and may change as more information becomes available. See our correction policy for how to report errors.

Structured Intelligence

known

  • CVE-2026-6973 is a high-severity RCE flaw in Ivanti EPMM 12.8.0.0 and earlier, requiring admin authentication for exploitation.
  • CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities catalogue on 8 May 2026.
  • CISA has mandated US federal agencies patch by midnight Sunday, 10 May 2026.
  • Ivanti released patches: EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
  • Shadowserver tracks over 800 Ivanti EPMM appliances exposed online.
  • The vulnerability only affects on-premises EPMM; cloud-based Ivanti Neurons for MDM is not affected.
  • Ivanti serves over 40,000 clients worldwide.

reported

  • Exploitation at time of disclosure was described as 'very limited' by Ivanti.
  • Customers who rotated credentials following January 2026 CVE-2026-1281/CVE-2026-1340 exploitation have significantly reduced risk from CVE-2026-6973.

uncertain

  • The identity and attribution of the threat actors exploiting CVE-2026-6973 in zero-day attacks is not disclosed.
  • The number of EPMM appliances already patched against CVE-2026-6973 is unknown.
  • Whether any specific federal agency systems have been compromised is not confirmed.

Affected Countries

πŸ‡ͺπŸ‡Ί European Union member statesπŸ‡ΊπŸ‡Έ United States

Key Entities

CISAIvantiIvanti Endpoint Manager Mobile (EPMM)ShadowserverCVE-2026-6973United StatesSergiu GatlanCVE-2026-5786CVE-2026-5787CVE-2026-5788CVE-2026-7821BleepingComputer
Event started: 7 May 2026

Sources

Trade Media

Timeline

Status Change29 May 2026, 05:30

Status changed to monitoring

Auto-transitioned: no updates for 6 hours

Status Change29 May 2026, 05:30

Lifecycle changed

active Ò†’ monitoring

Status Change28 May 2026, 22:36

Status changed to active

remediation: existing authoritative signal

Status Change28 May 2026, 22:36

Lifecycle changed

signal Ò†’ active

Corroboration10 May 2026, 22:25

Corroborating source

Ivanti disclosed a high-severity remote code execution zero-day vulnerability (CVE-2026-6973) in Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and earlier on 7 May 2026, warning of very limited active exploitation. The flaw stems from improper input validation and requires administrative privileges for exploitation. Shadowserver tracks over 850 exposed EPMM instances globally, predominantly in Europe (508) and North America (182). Patches were released in EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, and four additional high-severity EPMM vulnerabilities were simultaneously patched.

At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution.

Source: BleepingComputer (Trade Media) Β· View source

Initial Detection10 May 2026, 22:15

Initial Detection

CISA has added CVE-2026-6973, a high-severity remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and earlier, to its Known Exploited Vulnerabilities catalogue following confirmed zero-day exploitation. The agency has ordered US federal agencies to apply patches by midnight 10 May 2026. Ivanti has released fixed versions (12.6.1.1, 12.7.0.1, 12.8.0.1) and confirmed exploitation is currently limited, requiring admin authentication. Over 800 Ivanti EPMM appliances remain exposed online according to Shadowserver, with the vulnerability affecting only on-premises deployments.

CISA has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in zero-day attacks. Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier.

Source: BleepingComputer (Trade Media) Β· View source

← Back to Active Events