3 Critical Threats This Week: Ivanti EPMM Zero-Day, DAEMON Tools Supply Chain, Trellix Breach

**CVE-2026-6973** is classified under CWE-20 (Improper Input Validation) and resides in an administrative API endpoint within the Ivanti Endpoint Manager Mobile on-premises server. The vulnerable endpoint processes user-supplied input without adequate sanitization. An attacker with valid admin-level credentials submits a crafted request to trigger OS command execution in the context of the EPMM service account.

The attack path starts with credential access to the EPMM admin console. Unlike the January 2026 EPMM vulnerabilities CVE-2026-1281 and CVE-2026-1340, which allowed unauthenticated access, CVE-2026-6973 requires authenticated access. For an MDM platform managing mobile device enrollment, policy enforcement, and application distribution across an entire corporate fleet, admin credential access is a lower bar than it appears: any prior credential compromise, password reuse, phishing of an IT administrator, or reuse of credentials exposed in the January 2026 incident creates a viable attack path.

Affected versions are all Ivanti EPMM on-premises deployments at or before version 12.8.0.0. Patched versions are 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti Neurons for MDM, the cloud-hosted product, is not affected by this vulnerability.

Related CVEs in this advisory release include CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821, which address additional validation and authentication issues in EPMM and adjacent components. Ivanti's full advisory covers the complete fix manifest. SecurityWeek notes that organizations that rotated admin credentials after the January 2026 EPMM advisory face "significantly reduced" risk for CVE-2026-6973, but Ivanti and CISA both characterize this as non-eliminated risk requiring patch application regardless of prior credential hygiene actions.

CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalog on May 8, 2026, the same day Ivanti published its advisory. On the same day, CISA issued an emergency directive ordering all Federal Civilian Executive Branch agencies to apply patches or implement compensating controls within three business days, placing the compliance deadline at May 10, 2026. That deadline expired yesterday.

The three-day window reflects CISA's assessment of active exploitation severity and the sensitivity of what EPMM manages. A compromised MDM server provides the ability to push malicious profiles to all enrolled devices, extract certificates and enrollment credentials, access corporate application data stored on managed devices, and monitor device locations. SecurityWeek's reporting characterizes exploitation as "limited targeted attacks," the phrase CISA uses when evidence points to specific identified targets rather than opportunistic mass scanning.

The targeting profile is consistent with the January 2026 EPMM incidents, which attribution analysis linked to a suspected nation-state cluster focused on defense, government, and critical infrastructure organizations using Ivanti EPMM for mobile device management. Three exploitation events against the same platform in five months indicates sustained adversary investment in finding and exploiting EPMM vulnerabilities, not opportunistic opportunism.

For private sector organizations not subject to CISA emergency directives, the KEV designation provides the same operational signal: exploitation is confirmed, attack tooling is deployed, and unpatched systems are active targets. Apply Ivanti's patch as an emergency deployment regardless of regulatory obligations. After patching, rotate all EPMM admin account credentials and audit the admin user list for unauthorized additions made during any window of active exploitation.

Official DAEMON Tools Lite installers downloaded from the product's primary website between approximately April 8 and May 5, 2026 contained a trojanized QUIC RAT, a remote access trojan delivered over the QUIC protocol. Kaspersky researchers discovered the compromise on May 5 and attributed the attack to a suspected Chinese-speaking threat actor based on TTPs and tooling similarities to documented China-nexus groups.

The attack modified three binaries within the installer package while preserving their valid digital signatures: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. On execution, these components made HTTP GET requests to env-check.daemontools[.]cc, a C2 domain registered on March 27, 2026, approximately 12 days before the campaign began. The C2 interaction delivered two initial payloads: envchk.exe, a system information collector, and cdg.exe, a shellcode loader. The QUIC RAT itself was delivered selectively, not to every system that installed the backdoored version, but to operator-chosen targets identified through the information collector.

This selective delivery mechanism is the most operationally significant aspect of the attack. Compromised systems sent hardware and software profile data to the C2, and operators decided which systems to activate with the full RAT based on assessed target value. Organizations that installed affected DAEMON Tools versions during the 28-day window cannot assume they were not RAT targets simply because they have not observed active C2 communication. Absence of visible C2 traffic is not absence of compromise.

All organizations that installed DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 should treat those systems as potentially compromised and conduct forensic review. The safe version is 12.6.0.2445 or later. Block env-check.daemontools[.]cc at every DNS resolver and proxy layer immediately. This is not the first 2026 supply chain attack via signed software from a legitimate vendor distribution channel — for context on the scale of supply chain compromise risk this year, see the [North Korea supply chain attack deploying malware across 1,700 packages](/blog/north-korea-supply-chain-1700-packages).

RansomHouse, an extortion group that exfiltrates data without deploying encryption, listed Trellix on its data leak site on May 7, 2026, claiming initial access dated April 17 and providing leaked screenshots as proof of compromise. Trellix, the enterprise cybersecurity vendor formed from the 2022 merger of McAfee Enterprise and FireEye, confirmed on May 1 that it "detected unauthorized access to a portion of its source code repository."

Trellix's statement draws a careful distinction: the company states no evidence exists that source code was exploited, that distribution pipelines were compromised, or that deployed Trellix products were modified. Independent security researchers reviewing leaked material assessed that VMware, Rubrik, and Dell EMC infrastructure may also have been accessed during the intrusion, significantly widening the potential blast radius beyond Trellix source code alone. The initial access vector used by RansomHouse has not been publicly confirmed.

The security significance of a cybersecurity vendor source code breach differs from most corporate incidents. Trellix develops endpoint detection and response (EDR), extended detection and response (XDR), and network security products deployed across thousands of enterprise environments. Attackers with visibility into Trellix source code can map detection signatures and rule logic to identify bypass opportunities, identify memory layout patterns in Trellix agents that facilitate process injection, find authentication or update mechanisms usable for future product tampering, and understand telemetry collection to design evasion that avoids specific data points Trellix forwards to SIEM platforms.

None of these scenarios require action visible in a breach announcement. The risk manifests over a months-long window as RansomHouse develops capabilities against Trellix products directly or sells that access to other threat actors. Organizations running Trellix EDR, Helix SIEM, or network security products should monitor Trellix advisories with elevated priority and treat any emergency product updates in the coming weeks as security-critical deployments.

Two major patch events land tomorrow, May 12, 2026. Microsoft's monthly Patch Tuesday release is scheduled as normal. Based on 2026 release patterns — 115 CVEs in January, 58 in February, 84 in March, and 167 in April — May's update is expected to be a substantial release. Security teams should prioritize any zero-day patches and CISA KEV-related fixes, particularly for Windows components given the two still-unpatched Microsoft Defender zero-days, RedSun and UnDefend, that remain actively exploited with no vendor patch yet available.

Palo Alto Networks confirmed that fixes for CVE-2026-0300, the critical PAN-OS zero-day with a CVSS score of 9.3, are expected to begin shipping May 13. CVE-2026-0300 is an unauthenticated root-level RCE vulnerability in PAN-OS's User-ID Authentication Portal that a suspected China-nexus threat actor exploited for 28 days before public disclosure on May 6. The federal patch deadline for CVE-2026-0300 was May 9. No patch was available at deadline. For full technical detail and immediate mitigations including Authentication Portal disabling steps, see the [CVE-2026-0300 PAN-OS zero-day mitigation guide](/blog/cve-2026-0300-panos-firewall-rce-mitigation).

Organizations should prepare deployment pipelines for both releases today. Stage test environments for Windows patch validation before Patch Tuesday fires. Pre-position PAN-OS maintenance windows for May 13-14 when firewall patches release and ensure emergency change management approvals are pre-authorized given the critical severity. The combination of CVE-2026-6973 requiring immediate action now, CVE-2026-0300 patches arriving tomorrow, and the unpatched Windows Defender zero-days makes May 11-13 one of the most demanding consecutive patching windows of 2026.

Three separate Ivanti EPMM zero-day exploitation events in five months indicate sustained focus on the platform by sophisticated threat actors. The pattern suggests either active vulnerability research against EPMM by organized groups, or that initial EPMM compromises from January have provided footholds that attackers are now expanding through newly discovered post-authentication vectors. Neither interpretation reduces urgency.

The post-authentication requirement for CVE-2026-6973 is a deceptive risk reduction. EPMM admin accounts that share passwords with other services, were not rotated after the January 2026 advisory, are accessible via phishable MFA, or have been in continuous use for more than 90 days without rotation all represent viable exploitation prerequisites. The January 2026 incidents involved organizations that considered themselves low-risk. Three events later, no EPMM deployment should carry that assumption.

The DAEMON Tools supply chain attack demonstrates that software with legitimate digital signatures cannot be treated as implicitly trustworthy. The same principle applies to any software using automated update mechanisms, installer distribution through vendor-hosted channels, or deployment via package managers without hash verification. An SBOM practice with hash validation against known-good installer records provides the verification layer that code-signing alone no longer guarantees.

RansomHouse targeting Trellix establishes that cybersecurity vendors are now high-value breach targets not for ransomware deployment but for the strategic intelligence value of source code, detection logic, and product architecture. Security teams should evaluate their defensive posture under the assumption that sophisticated threat actors may have unusual knowledge of how some deployed security tooling functions internally.

Execute these actions in priority order. Steps 1 and 2 address confirmed active exploitation with expired federal deadlines.

Ivanti EPMM zero-day CVE-2026-6973 is the third actively exploited EPMM vulnerability in 2026 and the CISA emergency deadline has already passed: patch to 12.6.1.1, 12.7.0.1, or 12.8.0.1 and rotate admin credentials before anything else today. Organizations that installed DAEMON Tools Lite between April 8 and May 5 should treat those systems as potentially compromised and block env-check.daemontools[.]cc at every network layer immediately. Patch Tuesday May 12 and PAN-OS CVE-2026-0300 patches on May 13 make this week's deployment window one of the year's most demanding — stage environments and pre-authorize change windows now.