The Cybersecurity and Infrastructure Security Agency on Wednesday added a critical flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog.
The vulnerability, tracked as CVE-2026-1340, stems from a code injection in Ivanti EPMM that allows an attacker to achieve remote code execution without authentication.
CISA set a deadline of April 11 for federal civilian executive branch agencies to mitigate their environments.
Ivanti first disclosed the issue in late January along with CVE-2026-1281, which is a similar code injection vulnerability and was immediately added to the KEV catalog. Both flaws have a severity score of 9.8. The company said it began seeing exploitation shortly after a proof of concept was released.
Ivanti released a security advisory for the vulnerabilities at the time, and said it was aware of a “very limited number” of customers whose products were impacted.
“At the time of disclosure, Ivanti provided an RPM package to protect customer environments, which requires no downtime and takes only seconds to apply,” an Ivanti spokesperson told Cybersecurity Dive.
Ivanti also provided indicators of compromise, technical analysis and a detection script developed alongside the National Cyber Security Centre in the Netherlands.
The European Commission and Dutch authorities said they were investigating incidents related to the vulnerabilities back in February.
Ivanti released version 12.8 for EPMM back on March 18, which resolves the vulnerabilities and provides additional security hardening features, according to a spokesperson. The company recommends all users apply the upgrade.
Multiple security researchers contacted by Cybersecurity Dive said they have not seen any recent change in threat activity that would explain why the vulnerability was finally added to the KEV catalog.
“It’s been repeatedly exploited literally thousands of times since it was disclosed,” Simo Kohonen, founder and CEO at Defused, told Cybersecurity Dive.
CISA did not provide any specifics about the timing behind the change in status, but provided a link to general guidance for why a vulnerability is added to the KEV catalog.
