Cyber·Monitoring
Shai-Hulud Supply-Chain Attack Trojanizes 19 PyPI Packages
PyPI repository (global online service)· Global4 Jun
5 reportsPROPCYCAS
MediumAI Refreshed
ClosedMedium impactAI Generated
CISA Mandates Federal Patch of Ivanti EPMM Zero-Day CVE-2026-6973 by 10 May 2026
Occurred 7 May 2026·Detected 10 May 2026·
🇺🇸 United States federal agencies and globally exposed Ivanti EPMM on-premises deployments; CISA headquartered in Washington D.C., USA2 reportsEnded 29 May 2026
CyberPropertyCyberCasualty & Liability
CISA has added CVE-2026-6973, a high-severity remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and earlier, to its Known Exploited Vulnerabilities catalogue following confirmed zero-day exploitation. The agency has ordered US federal agencies to apply patches by midnight 10 May 2026. Ivanti has released fixed versions (12.6.1.1, 12.7.0.1, 12.8.0.1) and confirmed exploitation is currently limited, requiring admin authentication. Over 800 Ivanti EPMM appliances remain exposed online according to Shadowserver, with the vulnerability affecting only on-premises deployments.
AI-generated from linked source reports. See our correction policy.
Impact verdict
Medium impact. The vulnerability targets US federal agencies and over 800 internet-exposed on-premises EPMM appliances globally, posing significant risk to government and enterprise IT infrastructure. However, exploitation requires admin authentication and has so far been confirmed as very limited, constraining immediate insured loss potential.
View assessment methodologyHow we grade what we know -- Known · Reported · Uncertain. Methodology →
Intelligence ledger
Each line expands in place to its underlying sourced claim.
Known7 lines
CVE-2026-6973 is a high-severity RCE flaw in Ivanti EPMM 12.8.0.0 and earlier, requiring admin authentication for exploitation.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities catalogue on 8 May 2026.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
CISA has mandated US federal agencies patch by midnight Sunday, 10 May 2026.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Ivanti released patches: EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Shadowserver tracks over 800 Ivanti EPMM appliances exposed online.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
The vulnerability only affects on-premises EPMM; cloud-based Ivanti Neurons for MDM is not affected.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Ivanti serves over 40,000 clients worldwide.▾
structured lineknown
No separate sourced-claim record is available for this line yet.
Reported2 lines
Exploitation at time of disclosure was described as 'very limited' by Ivanti.▾
structured linereported
No separate sourced-claim record is available for this line yet.
Customers who rotated credentials following January 2026 CVE-2026-1281/CVE-2026-1340 exploitation have significantly reduced risk from CVE-2026-6973.▾
structured linereported
No separate sourced-claim record is available for this line yet.
Uncertain3 lines
The identity and attribution of the threat actors exploiting CVE-2026-6973 in zero-day attacks is not disclosed.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
The number of EPMM appliances already patched against CVE-2026-6973 is unknown.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether any specific federal agency systems have been compromised is not confirmed.▾
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Geographic Zone Matches
1 active match
- TRIA Certified AreasRule-basedConfidence 100%
Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.
Affected countries
🇪🇺 European Union member states🇺🇸 United States
Timeline
Status Change2 Jun 2026, 13:05
Lifecycle changed
monitoring → closed
Closure2 Jun 2026, 13:05
Event Closed
auto_closed_monitoring_timeout
Status Change29 May 2026, 05:30
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
active → monitoring
Status Change28 May 2026, 22:36
Status changed to active
remediation: existing authoritative signal
signal → active
Corroboration10 May 2026, 22:25
Ivanti disclosed a high-severity remote code execution zero-day vulnerability (CVE-2026-6973) in Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and earlier on 7 May 2026, warning of very limited active exploitation. The flaw stems from improper input validation and requires administrative privileges for exploitation. Shadowserver tracks over 850 exposed EPMM instances globally, predominantly in Europe (508) and North America (182). Patches were released in EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, and four additional high-severity EPMM vulnerabilities were simultaneously patched.
Source: BleepingComputer (Trade Media) · View source
Initial Detection10 May 2026, 22:15
Initial Detection
CISA has added CVE-2026-6973, a high-severity remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and earlier, to its Known Exploited Vulnerabilities catalogue following confirmed zero-day exploitation. The agency has ordered US federal agencies to apply patches by midnight 10 May 2026. Ivanti has released fixed versions (12.6.1.1, 12.7.0.1, 12.8.0.1) and confirmed exploitation is currently limited, requiring admin authentication. Over 800 Ivanti EPMM appliances remain exposed online according to Shadowserver, with the vulnerability affecting only on-premises deployments.
CISA has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in zero-day attacks. Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier.
Source: BleepingComputer (Trade Media) · View source
Lloyd's classifications
Tracking this kind of risk? Get an email when Cyber events escalate.
Get alerts