The U.S. cybersecurity agency issued an advisory giving government agencies just four days to remediate an exploited vulnerability affecting Ivanti Endpoint Manager Mobile.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is ordering federal agencies to prioritize patching for a critical-severity Ivanti mobile management vulnerability.
In an update Wednesday, CISA gave affected agencies a short window of four days to remediate the exploited vulnerability (tracked at CVE-2026-1340), which impacts Ivanti’s Endpoint Manager Mobile (EPMM) tool.
[Related: 10 Major Cyberattacks And Data Breaches In 2025]
Ivanti EPMM “contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution,” CISA said in an update to its catalog of vulnerabilities known to have seen exploitation.
Affected agencies will have until Saturday to deploy mitigations, CISA ordered.
In late January, Ivanti had disclosed that the flaw was one of a pair of mobile management vulnerabilities that had been exploited in cyberattacks. The attacks impacted a “very limited” number of customers as of that point, Ivanti said in the Jan. 29 advisory.
In a statement provided to CRNIvanti said that it released version 12.8 for EPMM on March 18, “which resolves these vulnerabilities and provides other important security hardening features to further protect customer environments.”
“We highly recommend that customers adopt this version as soon as possible,” the company said in the statement.
The fixed version of EPMM followed the Jan. 29 availability of an RPM package that protects customer environments, “which requires no downtime and takes only seconds to apply,” Ivanti said.
CISA said in its update Wednesday that it remains unknown whether the CVE-2026-1340 has been exploited as part of ransomware campaigns.
Nonetheless, “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA wrote in its advisory.
While the order only applies to Federal Civilian Executive Branch agencies, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [such] vulnerabilities as part of their vulnerability management practice,” CISA said Wednesday.
The Ivanti EPMM vulnerability has been classified as a “critical” issue with a severity score of 9.8 out of 10.0.