Vulnerability Management , Patch/Configuration Management Federal agencies ordered to patch Ivanti EPMM zero-day in 3 days May 8, 2026 Share By Laura French The Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity Ivanti Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog , giving federal civilian branch agencies until May 10 to fix the flaw. The vulnerability, tracked as CVE-2026-6973 , is an improper input validation flaw in Ivanti EPMM. This flaw could enable a remotely authenticated user with administrative privileges to execute arbitrary code. CVE-2026-6973 has a CVSS score of 7.2 and affects EPMM versions prior to 12.6.1.1, 12.7.0.1 and 12.8.0.1. Ivanti said in an advisory Thursday that a “very limited number of customers” have been affected by exploitation of the zero-day. “Successful exploitation requires Admin authentication. If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340 , then your risk of exploitation from CVE-2026-6973 is significantly reduced,” the company stated. Federal agencies have until May 10, 2026, to resolve the vulnerability, with CISA stating, “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” CVE-2026-1281 and CVE-2026-1340 are two critical vulnerabilities in Ivanti EPMM which were disclosed in January 2026 and could lead to unauthenticated remote code execution (RCE). CVE-2026-1281 was added to the KEV catalog on Jan. 29, 2026, and CVE-2026-1340 was added on April 8. Both have a CVSS score of 9.8. The critical flaws were suspected to be involved in attacks on the Dutch Data Protection Authority and Judicial Council and the European Commission in early February; around the same time, Palo Alto Networks reported a widespread surge in attacks involving the flaws, targeting several critical infrastructure sectors across the United States, Germany, Australia and Canada. Upgrading to versions 12.6.1.1, 12.7.01 and 12.8.01 resolves CVE-2026-6973 as well as CVE-2026-1281 and CVE-2026-1340. The previous two vulnerabilities were also given similarly short 3-day patch deadlines by CISA. CISA typically gives federal agencies between two to three weeks to patch vulnerabilities added to the KEV catalog unless there is an elevated risk. Earlier this week, Reuters reported that CISA was considering shortening the average deadline to three days in response to AI advancements such as the release of Claude Mythos. Laura French Related Vulnerability Management ‘Dirty Frag’ Linux zero-day exposes most distributions to LPE Steve Zurier May 8, 2026 Dirty Frag Linux zero-day exposes most distributions to root privilege escalation. Vulnerability Management Apache fixes critical HTTP/2 vulnerability allowing remote code execution SC Staff May 8, 2026 The vulnerability, identified as CVE-2026-23918 with a CVSS score of 8.8, is a double-free error within the HTTP/2 implementation. Security Operations India’s securities regulator warns of AI-driven cyberattack risks SC Staff May 8, 2026 The Indian regulator's advisory specifically addresses the risks posed by AI-driven vulnerability identification tools, such as Claude Mythos. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds