The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a binding directive this week requiring Federal Civilian Executive Branch (FCEB) agencies to remediate a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) by midnight on Saturday, April 11. The vulnerability is tracked as CVE-2026-1340.
This flaw has been actively exploited by hackers since January. Unauthorized attackers can leverage the vulnerability to execute remote code on internet-facing, unpatched EPMM devices. Ivanti previously confirmed that this vulnerability, along with CVE-2026-1281, has been used in zero-day attacks, and the company released a security update on January 29.
In its security advisory, Ivanti stated: "Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to execute arbitrary code. At the time of disclosure, we were aware of a very small number of customers who had been impacted by this exploit."
Global Impact of the Vulnerability
According to data from the internet security monitoring organization Shadowserver, nearly 950 IP addresses worldwide remain exposed with Ivanti EPMM signatures. Of these, 569 are located in Europe and 206 in North America. It remains unclear how many of these devices have been successfully patched.
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive (BOD) 22-01, federal agencies are strictly required to comply with remediation deadlines. CISA warned: "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."
While the directive specifically targets U.S. federal agencies, CISA strongly advises all private-sector defenders to apply the patches immediately to secure their infrastructure. The agency emphasized that if patching is not feasible, organizations should follow the guidance outlined in BOD 22-01 regarding cloud services or discontinue use of the product entirely.
In recent years, multiple Ivanti products have been found to contain vulnerabilities that were subsequently exploited in zero-day attacks against government agencies worldwide. To date, CISA has listed 33 Ivanti vulnerabilities in its KEV catalog, 12 of which have been leveraged by various ransomware gangs.
Ivanti currently provides IT asset management solutions to over 7,000 partners and 40,000 customers globally. As the patch deadline approaches, system administrators worldwide are under significant pressure to secure their environments.
