The U.S. cybersecurity agency issued an advisory giving government agencies just four days to remediate an exploited vulnerability affecting Ivanti Endpoint Manager Mobile.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering federal agencies to prioritize patching for a critical-severity Ivanti mobile management vulnerability.
In an update Wednesday, CISA gave affected agencies a short window of four days to remediate the exploited vulnerability (tracked at CVE-2026-1340), which impacts Ivanti’s Endpoint Manager Mobile (EPMM) tool.
[Related: 10 Major Cyberattacks And Data Breaches In 2025]
Ivanti EPMM “contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution,” CISA said in an update to its catalog of vulnerabilities known to have seen exploitation.
Affected agencies will have until Saturday to deploy mitigations, CISA ordered.
In late January, Ivanti had disclosed that the flaw was one of a pair of mobile management vulnerabilities that had been exploited in cyberattacks. The attacks impacted a “very limited” number of customers as of that point, Ivanti said in the Jan. 29 advisory.
CRN has reached out to Ivanti for comment.
CISA said in its update Wednesday that it remains unknown whether the CVE-2026-1340 has been exploited as part of ransomware campaigns.
Nonetheless, “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA wrote in its advisory.
While the order only applies to Federal Civilian Executive Branch agencies, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [such] vulnerabilities as part of their vulnerability management practice,” CISA said Wednesday.
The Ivanti EPMM vulnerability has been classified as a “critical” issue with a severity score of 9.8 out of 10.0.
In terms of remediating the flaw, “no downtime” is required to apply the necessary patch, Ivanti said in its advisory on the vulnerability, which was last updated March 31. The vendor is also “not aware of any feature functionality impact with this patch,” the advisory said.
