THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 with a CVSS score of 7.1, to its Known Exploited Vulnerabilities catalog. Ivanti warns the high-severity zero‑day is already being exploited and requires admin authentication for successful exploitation, with exploitation reported as very limited at disclosure.
The vulnerability arises from improper input validation and can allow attackers with admin privileges to execute arbitrary code on systems running EPMM 12.8.0[.]0 and earlier; patches are available in EPMM versions 12.6.1[.]1, 12.7.0[.]1 and 12.8.0[.]1. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address the identified flaws by the due date to protect networks.
CISA also notes that federal agencies are required to fix the vulnerability by 10 May 2026, and it urges private organisations to review the Known Exploited Vulnerabilities catalog and apply updates accordingly.