CISA Orders Feds to Patch Exploited Ivanti EPMM Flaw by Sunday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated the remediation of Ivanti Endpoint Manager Mobile (EPMM) to a binding operational directive, giving Federal Civilian Executive Branch agencies until midnight Saturday, April 11, to apply the patches for CVE‑2026‑1340. The flaw, a critical‑severity code‑injection bug, grants unauthenticated attackers remote code execution on any Internet‑exposed EPMM appliance that remains unpatched. By moving the vulnerability into the Known Exploited Vulnerabilities (KEV) catalog, CISA signals that the risk is active, not theoretical, and that federal networks must act immediately.

The vulnerability was first disclosed by Ivanti on January 29, alongside a second issue (CVE‑2026‑1281), after the company observed limited exploitation in the wild. Shadowserver’s monitoring now shows roughly 950 IP addresses still broadcasting EPMM fingerprints, with the bulk located in Europe (569) and North America (206). Although the exact number of patched systems is unknown, the persistence of these exposed endpoints underscores the challenge of timely patch deployment across distributed environments. Ivanti’s broader history—33 exploited flaws, 12 tied to ransomware—highlights a pattern of aggressive threat actor interest.

For the federal enterprise, a successful breach could compromise mission‑critical data and downstream services, prompting CISA to advise agencies either to apply vendor mitigations, follow BOD 22‑01 cloud‑service guidance, or retire the product if fixes are unavailable. Private‑sector organizations, while not bound by the directive, face the same exposure and should prioritize the same patches to avoid becoming the next foothold for attackers. The episode reinforces the need for continuous vulnerability management, rapid patch cycles, and active threat‑intelligence sharing to stay ahead of zero‑day exploits.