Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

CISA adds second critical flaw in Ivanti EPMM to exploited vulnerabilities catalog

The code injection flaw is similar to a prior vulnerability that was immediately flagged in January.

Published April 9, 2026
David Jones's headshot
Reporter
A close-up digital illustration portrays cybersecurity with a futuristic theme
Getty Images

The Cybersecurity and Infrastructure Security Agency on Wednesday added a critical flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog. 

The vulnerability, tracked as CVE-2026-1340, stems from a code injection in Ivanti EPMM that allows an attacker to achieve remote code execution without authentication. 

CISA set a deadline of April 11 for federal civilian executive branch agencies to mitigate their environments.  

Ivanti first disclosed the issue in late January along with CVE-2026-1281, which is a similar code injection vulnerability and was immediately added to the KEV catalog. Both flaws have a severity score of 9.8. The company said it began seeing exploitation shortly after a proof of concept was released. 

Ivanti released a security advisory for the vulnerabilities at the time, and said it was aware of a “very limited number” of customers whose products were impacted. 

“At the time of disclosure, Ivanti provided an RPM package to protect customer environments, which requires no downtime and takes only seconds to apply,” an Ivanti spokesperson told Cybersecurity Dive. 

Ivanti also provided indicators of compromise, technical analysis and a detection script developed alongside the National Cyber Security Centre in the Netherlands. 

The European Commission and Dutch authorities said they were investigating incidents related to the vulnerabilities back in February. 

Ivanti released version 12.8 for EPMM back on March 18, which resolves the vulnerabilities and provides additional security hardening features, according to a spokesperson. The company recommends all users apply the upgrade. 

Multiple security researchers contacted by Cybersecurity Dive said they have not seen any recent change in threat activity that would explain why the vulnerability was finally added to the KEV catalog. 

“It's been repeatedly exploited literally thousands of times since it was disclosed,” Simo Kohonen, founder and CEO at Defused, told Cybersecurity Dive.

CISA did not provide any specifics about the timing behind the change in status, but provided a link to general guidance for why a vulnerability is added to the KEV catalog. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Blackpoint Cyber Appoints Jacob Yavil as Chief Financial Officer
From Blackpoint Cyber
April 06, 2026
Blackpoint Cyber logo
BrandShield Expands Brand and Digital Risk Protection to AI Platforms, Where Millions of Consu…
From BrandShield
April 01, 2026
BrandShield logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
Blackpoint Cyber Releases 2026 Threat Report
From Blackpoint Cyber
April 07, 2026
Blackpoint Cyber logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell