CISO Brief

Daily Cyber & Tech News

Government Advisory

CISA Adds Ivanti EPMM Vulnerability to KEV Catalog

May 9, 2026 #cisa-kev, #ivanti, #mobile-device-management, #remote-code-execution
Illustration: CISA Adds Ivanti EPMM Vulnerability to KEV CatalogImage generated for CISOBrief — CISA Adds Ivanti EPMM Vulnerability to KEV Catalog

Remote code execution flaw in Endpoint Manager Mobile requires immediate action by federal agencies.

TL;DR

  • CISA added CVE-2026-6973 affecting Ivanti Endpoint Manager Mobile to the Known Exploited Vulnerabilities catalog
  • The vulnerability allows authenticated administrators to achieve remote code execution through improper input validation
  • Federal agencies must apply mitigations or discontinue use by 10 May 2026

The US Cybersecurity and Infrastructure Security Agency has added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog, marking an improper input validation vulnerability in Ivanti Endpoint Manager Mobile as actively exploited in the wild.

The vulnerability affects [Ivanti Endpoint Manager Mobile (EPMM)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-6973) and allows a remotely authenticated user with administrative access to achieve remote code execution through improper input validation.

Remediation requirements

Under Binding Operational Directive 22-01, federal civilian executive branch agencies must apply mitigations according to vendor instructions or discontinue use of the product if mitigations are unavailable. The remediation deadline is 10 May 2026.

CISA has also specified that agencies should follow applicable BOD 22-01 guidance for cloud services where relevant.

The agency references [Ivanti’s May 2026 Security Advisory](https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US) for specific mitigation instructions, indicating this vulnerability is part of a broader set of security issues addressed by the vendor.

Why It Matters

Addition to the KEV catalog signals active exploitation, making this a priority for any organisation using Ivanti EPMM. The administrative access requirement doesn’t diminish risk significantly, as compromised admin credentials or insider threats could exploit this vulnerability for lateral movement or persistence.

Mobile device management platforms like EPMM typically have extensive network access and manage sensitive corporate data, making successful exploitation particularly damaging for organisational security posture.

What To Do Now

  • Check if your organisation uses Ivanti Endpoint Manager Mobile and identify affected instances
  • Review Ivanti’s May 2026 Security Advisory for specific mitigation guidance
  • Apply vendor-recommended mitigations immediately or prepare to discontinue use if mitigations are unavailable
  • Monitor administrative access to EPMM systems and review recent administrative activity for signs of compromise

Sources

Related Post

Government Advisory

CISA adds two vulnerabilities to known exploited catalog

May 9, 2026