**CISA** has given U.S. government agencies four days to secure their systems against a critical-severity vulnerability in **Ivanti Endpoint Manager Mobile (EPMM)** that has been exploited in attacks since January. Tracked as **CVE-2026-1340**, this critical-severity code injection flaw enables threat actors without privileges to gain remote code execution on Internet-exposed and unpatched **EPMM** appliances. **Ivanti** flagged this and a second security bug (**CVE-2026-1281**) as abused in zero-day attacks when it released security updates on January 29 to patch both vulnerabilities and "strongly" encouraged all customers to update their systems to block ongoing exploitation. "Successful exploitation could lead to unauthenticated remote code execution. We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," the company said at the time. Internet security watchdog group **Shadowserver** is currently tracking nearly 950 IP addresses with **Ivanti EPMM** fingerprints still exposed online, most of them from Europe (569) and North America (206). However, there is no information on how many of them have already been patched.  *Ivanti EPMM appliances exposed online (Shadowserver)* On Monday, the U.S. **Cybersecurity and Infrastructure Security Agency** added the vulnerability to its Known Exploited Vulnerabilities (**KEV**) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their **EPMM** systems by Saturday midnight, April 11, as mandated by Binding Operational Directive (**BOD**) 22-01. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," **CISA** warned. "Apply mitigations per vendor instructions, follow applicable **BOD** 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." **CISA** advised all defenders, including those in the private sector, to prioritize applying patches for **CVE-2026-1340** to secure their organizations' devices as soon as possible, even though **BOD** 22-01 applies only to U.S. federal agencies. Multiple other **Ivanti** vulnerabilities have been exploited in recent years via zero-day attacks to breach a wide range of targets, including government agencies worldwide. In total, **CISA** has tagged 33 **Ivanti** vulnerabilities as exploited in attacks, 12 of which have been used by various ransomware operations. **Ivanti** provides IT asset management products to over 40,000 customers through a network of more than 7,000 partners around the globe.