"At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation," Ivanti told customers.
CVE-2026-6973: what the flaw is and which EPMM releases it touches
The vulnerability, tracked as CVE-2026-6973, allows an attacker with administrative privileges to execute arbitrary code remotely on systems running Ivanti Endpoint Manager Mobile (EPMM) version 12.8.0.0 and earlier. Ivanti said the issues affect only the on-premises EPMM product; the company stated they "are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products."
CISA order and the federal timeline
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-6973 to its list of vulnerabilities known to be exploited in attacks and required U.S. federal agencies to patch their EPMM systems by midnight Sunday, May 10. CISA characterized this class of flaw as risky for the federal enterprise: "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the agency warned.
Ivanti's mitigations and guidance for customers
Ivanti recommended customers secure appliances by installing updated EPMM builds: 12.6.1.1, 12.7.0.1, and 12.8.0.1. The vendor also advised customers to review accounts with Admin rights and rotate those credentials where necessary. Ivanti added that prior steps taken after earlier incidents should reduce exposure: "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced."
Exposure on the public internet and the record so far
Nonprofit security organization Shadowserver is tracking more than 800 Ivanti EPMM appliances exposed online. The public record contains no information about how many of those exposed devices have already been patched against CVE-2026-6973. Ivanti also said that, at disclosure, it was "aware of very limited exploitation of CVE-2026-6973" and that it was not aware of customers being exploited by the other vulnerabilities disclosed alongside this one.
How federal agencies, technologists, and enterprises are affected
- Federal agencies: CISA's mandate gives agencies a hard deadline of midnight May 10 to remediate EPMM instances, creating an operational imperative to apply the specified updates or otherwise secure affected appliances within the four-day window.
- Technologists and security teams: Teams running on-prem EPMM should install Ivanti EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1 where applicable, review accounts that hold Admin rights, and rotate credentials as Ivanti advised. The company highlighted that successful exploitation requires admin authentication.
- Affected enterprises and procurement leaders: Organizations that use Ivanti EPMM should confirm whether their deployments are on-prem (and thus in scope) versus cloud-based Ivanti Neurons for MDM or other Ivanti products, which Ivanti said are not impacted.
Ivanti, which supplies IT asset management solutions to more than 40,000 clients worldwide and operates through an extensive network of over 7,000 partners, has faced successive zero-day disclosures this year. In late January the company patched two critical EPMM issues — CVE-2026-1281 and CVE-2026-1340 — that were exploited in zero-day attacks affecting a "very limited number of customers," and CISA previously gave agencies four days to address CVE-2026-1340 on April 8.
The immediate facts are straightforward: a high-severity, authenticated remote-code-execution flaw exists in on-prem Ivanti EPMM 12.8.0.0 and earlier; Ivanti has published patched builds and credential-rotation guidance; Shadowserver reports over 800 exposed appliances; and CISA has ordered federal agencies to remediate by midnight May 10. What remains open in the record is how many exposed systems will be updated within that compressed timeline and whether the "very limited" exploitation Ivanti cited will grow now that the vulnerability has been added to CISA's exploited-vulnerabilities list.
