# CISA Orders Federal Agencies to Patch Exploited Ivanti EPMM Zero-Day Within Four Days  **CISA** has mandated that federal agencies must patch their **Ivanti EPMM** systems by midnight Sunday, May 10, due to the active exploitation of a high-severity vulnerability. ## CVE-2026-6973: Remote Code Execution The security flaw, identified as **CVE-2026-6973**, allows attackers with administrative privileges to execute arbitrary code remotely on systems running **EPMM** 12.8.0.0 and earlier. This vulnerability poses a significant risk, as it's a frequent attack vector for malicious cyber actors. In a Thursday security advisory, **Ivanti** advised customers to install **Ivanti EPMM** versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 to mitigate the risk. They also recommended reviewing accounts with Admin rights and rotating credentials where necessary. **Ivanti** stated, "At the time of disclosure, we are aware of very limited exploitation of **CVE-2026-6973**, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today." The company clarified that the issue only affects the on-prem **EPMM** product and is not present in **Ivanti Neurons for MDM**, **Ivanti EPM**, **Ivanti Sentry**, or any other **Ivanti** products. ## Exposed Ivanti EPMM Appliances **Shadowserver**, a nonprofit security organization, is tracking over 800 **Ivanti EPMM** appliances exposed online. However, it is currently unknown how many of these have been patched against **CVE-2026-6973**. .png) *Ivanti EPMM appliances exposed online (Shadowserver)* ## Past EPMM Vulnerabilities In late January, **Ivanti** patched two other critical **EPMM** security issues (**CVE-2026-1281** and **CVE-2026-1340**) that were exploited in zero-day attacks affecting a limited number of customers. **CISA** previously ordered U.S. government agencies to secure their systems against attacks targeting the **CVE-2026-1340** flaw on April 8. **Ivanti** noted that customers who followed their January recommendation to rotate credentials after potential exploitation of **CVE-2026-1281** and **CVE-2026-1340** have significantly reduced their risk of exploitation from **CVE-2026-6973**. **Ivanti** provides IT asset management solutions to over 40,000 clients worldwide, supported by an extensive network of over 7,000 partners. <div> <p><a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0"><img alt="article image" src="https://www.bleepstatic.com/c/p/autonomous-validation2.jpg"></a></p> <div> <h2><a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">99% of What Mythos Found Is Still Unpatched.</a></h2> <p>AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.</p> <p>At the Autonomous Validation Summit (May 12 &amp; 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.</p> <p><a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">Claim Your Spot</a></p> </div> </div>