CISA Gives Federal Agencies Days to Patch Actively Exploited Ivanti EPMM RCE Flaw

A critical unauthenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (CVE-2026-1340) has been under active exploitation since January, prompting CISA to add it to the Known Exploited Vulnerabilities catalog and mandate federal civilian agencies patch by April 11. The flaw, a code injection bug requiring no authentication, exposes internet-facing EPMM appliances to full compromise. Ivanti disclosed it alongside a second zero-day (CVE-2026-1281) on January 29 and urged immediate patching, but Shadowserver is still tracking roughly 950 exposed instances online.

The federal deadline is tight by design - BOD 22-01 compels FCEB agencies to remediate KEV entries on an accelerated schedule given the direct risk to government infrastructure. CISA extended the advisory to private-sector defenders as a strong recommendation, not a mandate. Ivanti’s track record sharpens the urgency: CISA has catalogued 33 exploited Ivanti CVEs to date, 12 linked to ransomware operators.

With nearly 40,000 Ivanti customers globally and persistent attacker interest in its MDM and IT asset management products, unpatched EPMM instances represent a high-value target. Organizations still running vulnerable versions should treat this as an emergency patch cycle, not routine maintenance.