CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday
by Sergiu Gatlan · BleepingComputerCISA has given U.S. government agencies four days to secure their systems against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in attacks since January.
Tracked as CVE-2026-1340, this critical-severity code injection flaw enables threat actors without privileges to gain remote code execution on Internet-exposed and unpatched EPMM appliances.
Ivanti flagged this and a second security bug (CVE-2026-1281) as abused in zero-day attacks when it released security updates on January 29 to patch both vulnerabilities and "strongly" encouraged all customers to update their systems to block ongoing exploitation.
"Successful exploitation could lead to unauthenticated remote code execution. We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," the company said at the time.
Internet security watchdog group Shadowserver is currently tracking nearly 950 IP addresses with Ivanti EPMM fingerprints still exposed online, most of them from Europe (569) and North America (206). However, there is no information on how many of them have already been patched.
On Monday, the U.S. Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their EPMM systems by Saturday midnight, April 11, as mandated by Binding Operational Directive (BOD) 22-01.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
CISA advised all defenders, including those in the private sector, to prioritize applying patches for CVE-2026-1340 to secure their organizations' devices as soon as possible, even though BOD 22-01 applies only to U.S. federal agencies.
Multiple other Ivanti vulnerabilities have been exploited in recent years via zero-day attacks to breach a wide range of targets, including government agencies worldwide.
In total, CISA has tagged 33 Ivanti vulnerabilities as exploited in attacks, 12 of which have been used by various ransomware operations.
Ivanti provides IT asset management products to over 40,000 customers through a network of more than 7,000 partners around the globe.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.