Ivanti EPMM Hits KEV, Cisco Catalyst SD-WAN Authentication Bypass, and the Continuing Edge-Appliance Problem

CISA formally added the Ivanti Endpoint Manager Mobile remote-code-execution flaw (CVE-2026-6973) to the KEV catalog on Wednesday — the one I flagged a month ago when Shadowserver started tracking it. The number of internet-exposed EPMM instances has dropped from 800 to about 470, which means roughly forty percent of operators heeded the early warning and patched, and roughly sixty percent are still rolling the dice.

Alongside that, CVE-2026-42897 — a Cisco Catalyst SD-WAN Controller and Manager authentication bypass — is now showing up in proof-of-concept exploit code on a couple of underground forums. CISA has not formally added it yet, but the writing is on the wall.

I will not pretend this week's recap is different from the last six. The pattern is the same. The pattern keeps being the same. Let me explain why that matters.

1. CVE-2026-6973 — Ivanti EPMM Formally Added to KEV

CISA KEV added: May 7, 2026 · CVSS: 7.2 (High) · Active exploitation

I covered this one in the April 12 recap when it was a Shadowserver early warning. This week makes it official: federal agencies have to remediate by late May. For the rest of us, the deadline is "before someone weaponizes the public proof-of-concept that is now floating around."

If you run Ivanti EPMM on-prem and you have not patched, this is the third week I have told you to patch. I am running out of polite ways to say it.

Specific guidance:

• Apply the Ivanti EPMM patch from the April 9 advisory.
• Take the admin console off the public internet. Cloudflare Access tunnel or VPN.
• Rotate the admin credentials and force MFA.
• Audit the last 90 days of authentication logs for anomalous admin actions.

2. CVE-2026-42897 — Cisco Catalyst SD-WAN Manager Authentication Bypass

Severity: Critical (unauthenticated admin) · Status: Patched by Cisco; not yet on KEV; PoC exists

Cisco patched this one in their April security advisory, but the exploit chain became public in early May. CVE-2026-42897 lets an unauthenticated remote attacker bypass authentication entirely and get administrative privileges on Cisco Catalyst SD-WAN Controller and Manager.

If you run the SD-WAN fabric I called out two weeks ago, that is now four critical issues against the same Cisco product family in one month. The control plane for whatever multi-site network you are running is, frankly, on fire right now. Patch the SD-WAN Manager, audit the controller fabric, and consider whether the management plane really needs to be accessible from the corporate LAN or whether it should live on a dedicated management VLAN with no general-user access.

Eight Months of Recaps, Same Story

I went back and counted. Since I started writing this weekly recap, edge appliances — VPNs, SD-WAN controllers, mobile device management consoles, remote-support gateways — have appeared in 26 of 32 weekly recaps. That is eighty-one percent. The supply chain of bug research is delivering critical perimeter flaws roughly four out of every five weeks.

This is not because the products are uniquely badly written. They are not. It is because they are exactly where attackers look, and bug bounty programs and security researchers follow the attacker incentive curve.

If you have been reading these every week and your perimeter still has appliances that have never been audited, never had their admin consoles removed from the public internet, and never had MFA enforced — please understand what I am telling you. The expected wait time for the next critical perimeter flaw is roughly nine days. The expected wait time for someone to weaponize it is roughly the same.

What to Do About It, Concretely

I do not want to keep writing the same recap. Let me list what BVTech does, week one of an engagement, for every Texas client that has any perimeter appliances at all:

• Inventory. Every appliance, brand, model, firmware version, what it does. On paper. Updated quarterly.
• Remove the management plane from the public internet. Cloudflare Access, WireGuard, or a strict source-IP allowlist on the firewall. Pick one. Implement.
• Enforce MFA on every appliance admin login. If the product does not support MFA, replace the product.
• Subscribe to vendor PSIRT feeds. Every box on the inventory has a vendor security advisory mailing list. Be on it.
• Map each appliance to its CISA KEV monitoring scope. When KEV publishes, we know within hours whether anything we run is on the list.
• Have a written patching SLA. Critical KEV entries get patched within 48 hours of the federal deadline. Non-KEV criticals get patched within seven days.

None of this is rocket science. The reason most small Texas businesses do not have it in place is not technical, it is operational — nobody owns it, so it does not get done. Fix the ownership problem and the rest follows.

Want Someone to Own Your Perimeter?

BVTech\’s managed-services engagements include the entire perimeter playbook above, documented, audited, and updated quarterly. Most of our clients pay less per month for the full program than what they were previously paying a break/fix shop just to "look at the firewall." Call (210) 538-3669 or email [email protected] for a free perimeter review.

— Jordan Polasek is the Founder and Managing Partner of BVTech LLC, a Texas-based managed IT services provider. He holds AWS and 1Password certifications, the Certified Polysomnographic Technologist credential (CPSGT #294), and won the SuperOps Solo MSP of the Year Award in 2023. Connect with Jordan on LinkedIn or at jordanpolasek.com.