Ivanti EPMM flaw added to KEV
CISA added a flaw in Ivanti EPMM to its Known Exploited Vulnerabilities catalog, signalling active exploitation that touches device management and identity controls. Because EPMM influences enrollment, policy enforcement and mobile access, the vulnerability should be cross‑referenced with identity telemetry rather than treated as an isolated patch task. A useful dashboard would list exploited device‑management CVEs and link them to recent admin activity, enrollment spikes, and affected user populations. (Security Affairs)
A mobile device management server is the control tower for work phones and tablets: it enrolls devices, pushes security settings, and decides which apps and data they can reach. Ivanti Endpoint Manager Mobile is one of those systems, and on April 8, 2026, the Cybersecurity and Infrastructure Security Agency added one of its bugs to the federal Known Exploited Vulnerabilities list. (cisa.gov) That list is not a watchlist for theoretical risk. The Cybersecurity and Infrastructure Security Agency says it adds flaws to the Known Exploited Vulnerabilities catalog when there is evidence they are being exploited in the wild, and federal agencies then get a patch deadline under Binding Operational Directive 22-01. (cisa.gov, cisa.gov) The bug CISA flagged is CVE-2026-1340, which Ivanti describes as a code injection flaw in Ivanti Endpoint Manager Mobile. Ivanti says successful exploitation can lead to unauthenticated remote code execution, which means an attacker can make the server run commands without logging in first. (ivanti.com, cisa.gov) Ivanti disclosed this issue together with CVE-2026-1281 on January 29, 2026. Ivanti said at disclosure that it was aware of a “very limited number” of customers whose Endpoint Manager Mobile systems had already been exploited. (ivanti.com) The company says the affected versions were 12.5.0.0 through 12.5.0.1, 12.4.0.0 through 12.4.0.1, 12.3.0.0 through 12.3.0.1, and 12.2.0.0 through 12.2.0.1. Ivanti also said the problem affects the on-premises product and does not affect its cloud offerings, including Ivanti Neurons for Mobile Device Management. (ivanti.com) CISA’s April 8 entry gave federal civilian agencies a due date of April 12, 2026. BleepingComputer reported that the order gave agencies four days to secure exposed systems, which shows how fast the government expects defenders to move once a flaw lands in the catalog. (cisa.gov, bleepingcomputer.com) This is not just another server patch because Endpoint Manager Mobile sits next to identity and access decisions. The platform handles device enrollment and mobile access controls, so a compromised server can touch the records that say which phone is trusted, which user gets a certificate, and which app can open corporate mail. (ivanti.com) Ivanti’s own analysis guidance tells defenders to review logs and threat indicators for these two 2026 flaws. That is the clue that patching alone is not enough: teams need to line up Endpoint Manager Mobile logs with identity logs, administrator actions, and unusual enrollment activity to see whether an attacker used the server before the fix went in. (ivanti.com) A useful dashboard here is simple and specific. Put exploited mobile device management bugs like CVE-2026-1340 on one side, then link each one to recent administrator logins, spikes in new device enrollments, changes to policy groups, and the user populations tied to those changes. (cisa.gov, ivanti.com) The immediate question for any Ivanti Endpoint Manager Mobile customer is not only “did we patch by April 12, 2026?” The harder question is whether the server made any trust decisions for the wrong person between January 29, 2026, when Ivanti disclosed exploitation, and the day the fix was applied. (ivanti.com, cisa.gov)
