CISA Adds Critical Ivanti EPMM Vulnerability to KEV Catalog

CVE-2026-6973 allows authenticated attackers to achieve remote code execution on Ivanti Endpoint Manager Mobile systems.

Summary

CISA added CVE-2026-6973 affecting Ivanti Endpoint Manager Mobile to its Known Exploited Vulnerabilities catalog on 7 May 2026
The vulnerability allows remotely authenticated administrative users to execute arbitrary code through improper input validation
Federal agencies must apply vendor mitigations or discontinue use by 10 May 2026 under BOD 22-01

CISA has added a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog, signalling active exploitation in the wild.

The vulnerability, tracked as [CVE-2026-6973](https://nvd.nist.gov/vuln/detail/CVE-2026-6973), stems from improper input validation in EPMM systems. It allows a remotely authenticated user with administrative access to achieve remote code execution, according to [CISA’s KEV catalog entry](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-6973).

CISA added the vulnerability to the catalog on 7 May 2026, with federal agencies required to remediate by 10 May 2026.

Remediation Requirements

Under Binding Operational Directive 22-01, federal civilian agencies must either apply mitigations per vendor instructions or discontinue use of affected products if patches are unavailable.

CISA directs organisations to [Ivanti’s May 2026 security advisory](https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US) for specific remediation guidance. The advisory covers multiple CVEs affecting EPMM systems.

For cloud services, agencies must follow applicable BOD 22-01 guidance when implementing remediation measures.

Exploitation Context

CISA’s decision to add CVE-2026-6973 to the KEV catalog indicates the vulnerability is being actively exploited by threat actors. The agency only includes vulnerabilities with evidence of active exploitation in real-world attacks.

The vulnerability requires administrative credentials for exploitation, but the remote code execution capability represents a significant risk for organisations using EPMM to manage mobile device deployments.

Why It Matters

This addition to CISA’s KEV catalog signals active exploitation of Ivanti EPMM systems, requiring immediate attention from CISOs managing mobile device infrastructure. The vulnerability’s inclusion indicates threat actors are successfully targeting these systems in live environments, making it a priority remediation item for board reporting and risk assessments.

For organisations using EPMM, this represents both a direct operational risk and a regulatory compliance requirement for federal agencies under BOD 22-01, with potential cascading effects on private sector security standards.

What To Do Now

Review Ivanti’s May 2026 security advisory for specific remediation steps covering CVE-2026-6973 and related vulnerabilities
Apply vendor-provided mitigations immediately or discontinue EPMM use if patches are unavailable
Follow BOD 22-01 guidance for cloud service implementations where applicable

Summary

Remediation Requirements

Exploitation Context

Why It Matters

What To Do Now

Sources

Related Posts

CISA Orders Immediate Cisco SD-WAN Security Fix

Copy.Fail Linux Vulnerability Enables Silent Privilege Escalation

CISA adds LiteLLM SQL injection vulnerability to KEV catalog