RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: federal-deadline (2 articles)Clear
vulnerability
CVE-2026-6973
2026-05-07

Ivanti EPMM zero-day actively exploited - attackers are getting admin-level RCE on mobile device management servers (CVE-2026-6973)

Ivanti disclosed Wednesday that attackers are exploiting a zero-day in Endpoint Manager Mobile (EPMM) to gain admin-level remote code execution on enterprise MDM servers. CVE-2026-6973. Successful exploitation gives the attacker control over the MDM platform that pushes apps and configurations to managed mobile fleets - a foothold that can pivot into managed devices and the corporate identity layer. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day with a federal patch deadline next week. Ivanti products have a long history of zero-day exploitation.

ivantiepmmmobileiron-coremdmactively-exploitedadmin-rcecisa-kevfederal-deadlinezero-day
Check
Inventory Ivanti EPMM (formerly MobileIron Core) instances and check whether any are internet-reachable. Hunt EPMM admin logs for unusual admin actions, new admin accounts, or unfamiliar OAuth tokens issued since April.
Affected
Ivanti Endpoint Manager Mobile (EPMM) installations on versions before the May 6 patch. Acute risk for internet-reachable EPMM instances. The MDM context means a successful exploit can push tampered apps or profiles to every managed mobile device. Federal agencies under BOD 22-01 must patch by mid-May.
Fix
Upgrade Ivanti EPMM to the patched release per Ivanti's advisory. Restrict EPMM admin access to internal networks or VPN-only paths until patched. Rotate EPMM admin credentials and any API tokens issued for downstream integrations (SCEP, certificate authorities, identity providers). Audit managed mobile devices for unfamiliar configuration profiles or VPN configurations pushed since April.
threat
CVE-2026-41940
2026-05-04

cPanel ransomware attackers are now hunting government agencies and the IT companies that manage them

Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.

cpanelsorry-ransomwaregovernment-targetingmspfollow-upcisa-kevfederal-deadlinekaseya-comparisonsupply-chain-amplification
Check
Audit /var/cpanel/sessions/raw/ for entries created since February 23, 2026. Search for files with the .sorry extension across hosted sites. Check authentication logs for unusual successful logins between February 23 and April 28.
Affected
Government agencies, MSPs, and hosting companies running unpatched cPanel infrastructure. Particularly acute: MSPs whose cPanel instances host downstream customer accounts - a single compromise spreads to many tenants. Federal agencies under BOD 22-01 must patch by May 21. State and local governments without that mandate face the same active threat without the same enforcement.
Fix
Patch cPanel to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. Restore from backups predating February 23 rather than just resuming operations. Rotate root, admin, and customer credentials. For MSPs: notify customers proactively before they discover compromise from a ransom note.