CISA Warns of Actively Exploited Ivanti EPMM Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive ordering federal civilian agencies to remediate a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM). The move comes after confirmed evidence that the flaw is already being actively exploited in real-world attacks.

Ivanti Endpoint Manager Mobile (EPMM) is a mobile device management (MDM) and enterprise mobility management platform used by organizations to securely manage smartphones and tablets used for work. It allows IT teams to enforce security policies, control access to corporate apps and data, deploy configurations and updates remotely, and protect sensitive information on both employee‑owned and company‑issued devices across iOS and Android environments.

CVE-2026-1340 opens door to remote code execution

CVE‑2026‑1340 is a critical code‑injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows an attacker to run malicious commands on a vulnerable server without needing to log in. If an EPMM system is exposed to the internet and unpatched, an attacker can send specially crafted requests that the application mistakenly treats as executable instructions, which leads to unauthenticated remote code execution and potentially full control of the mobile management server, including access to managed devices, credentials, and internal networks.

Ivanti disclosed the vulnerability in late January 2026 and released security updates after discovering that the flaw was being abused in zero‑day attacks. While Ivanti stated that only a small number of customers were confirmed as compromised at the time, security researchers have identified hundreds of EPMM instances still exposed to the internet, which increases the potential risk.

Organizations urged to patch without delay

CISA added this security flaw to its Known Exploited Vulnerabilities (KEV) Catalog, which triggers mandatory remediation requirements under Binding Operational Directive 22‑01. Consequently, affected federal agencies were given only a few days to either apply vendor‑recommended patches, implement mitigations, or discontinue use of the product if fixes are unavailable.

CISA strongly encouraged private‑sector organizations using Ivanti EPMM to treat the vulnerability as a high priority and apply patches immediately. This agency emphasized that flaws like this are frequently used by malicious actors and pose serious risks if left unaddressed in enterprise environments.