CISA Orders Federal Agencies to Patch Critical Ivanti Endpoint Manager Mobile Zero‑Day (CVE‑2026‑6973) Within Four Days
What Happened — CISA issued an emergency directive requiring all U.S. federal agencies to remediate a high‑severity, remotely exploitable zero‑day (CVE‑2026‑6973) in Ivanti Endpoint Manager Mobile (EPMM) within four days. The flaw lets an attacker with administrative credentials execute arbitrary code on on‑prem EPMM servers 12.8.0.0 and earlier.
Why It Matters for TPRM —
- Federal‑level mandate signals a rapid, coordinated threat that can cascade to third‑party contractors and SaaS providers.
- The vulnerability resides in on‑prem endpoint‑management software widely deployed across enterprises, exposing supply‑chain risk.
- Limited exploitation already observed; unpatched assets remain a high‑value target for nation‑state and criminal actors.
Who Is Affected — Government agencies, contractors, and any organization using Iv anti EPMM on‑premises (≈ 800 exposed appliances identified).
Recommended Actions —
- Verify whether any on‑prem EPMM instances are in use; if so, apply Ivanti patches 12.6.1.1, 12.7.0.1, or 12.8.0.1 immediately.
- Conduct an admin‑account audit; rotate or remove unnecessary privileged credentials.
- Review third‑party contracts for EPMM coverage and ensure vendors have applied the fix.
- Update vulnerability management dashboards to flag CVE‑2026‑6973 as critical.
Technical Notes — The CVE is a remote code execution flaw triggered by authenticated admin access; exploitation requires valid admin credentials but can be chained with credential‑theft techniques. It affects only the on‑prem EPMM product, not Ivanti’s cloud‑based Neurons MDM or other Ivanti suites. No public evidence of data exfiltration yet, but the attack surface includes over 800 internet‑exposed appliances. Source: BleepingComputer