Ivanti zero-day urged patched
U.S. cyber defenders ordered federal agencies to rush-patch a critical Ivanti Endpoint Manager Mobile flaw that is being actively exploited, showing this is a real-time threat rather than a theory. The vulnerability is a code-injection bug added to CISA’s Known Exploited Vulnerabilities list with a four-day remediation timetable for federal systems, which signals urgency from defenders. That pattern—active exploitation driving emergency patching—matters because it’s the exact kind of enterprise-management software failure attackers use to gain broad access. (bleepingcomputer.com) (x.com)
A server that manages company phones is supposed to be the front desk for every device. In this case, U.S. cyber defenders say attackers are already walking through that front door on Ivanti Endpoint Manager Mobile, and federal agencies have until April 11, 2026 to fix it. (cisa.gov) (bleepingcomputer.com) Ivanti Endpoint Manager Mobile is software companies use to control work phones and tablets from one central console. It can push apps, set rules, move files, and enforce security settings across an entire mobile fleet. (ivanti.com) (tenable.com) The flaw now on the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list is CVE-2026-1340. The U.S. National Vulnerability Database describes it as a code-injection bug that lets an attacker run code on the server without logging in first. (nvd.nist.gov) (cisa.gov) “Code injection” means the attacker slips their own instructions into a system that should only run trusted commands. If that works on a management server, the attacker is no longer poking at one phone at a time; they are standing at the control panel for all of them. (nvd.nist.gov) (unit42.paloaltonetworks.com) Ivanti said on January 29, 2026 that CVE-2026-1340 and a second bug, CVE-2026-1281, were both critical and could lead to unauthenticated remote code execution. Ivanti also said a “very limited number” of customers had already been exploited when it disclosed the fixes. (hub.ivanti.com) (tenable.com) The federal deadline is unusually short because the order comes through Binding Operational Directive 22-01, which tells civilian agencies to remediate listed bugs by a set date or stop using the product if they cannot. For this Ivanti flaw, CISA added it on April 8, 2026 and set April 11, 2026 as the due date. (cisa.gov) (nvd.nist.gov) That four-day window tells you what defenders think is happening on real networks. CISA reserves the Known Exploited Vulnerabilities catalog for bugs with evidence of active abuse, not bugs that are merely dangerous on paper. (cisa.gov 1) (cisa.gov 2) Security researchers at Palo Alto Networks’ Unit 42 said the affected features included In-House Application Distribution and Android File Transfer Configuration. Those are the kinds of plumbing features that sit deep inside device-management systems, which is why a compromise there can spread influence far beyond one employee handset. (unit42.paloaltonetworks.com) (abstract.security) Ivanti said the issue does not affect its cloud products, including Ivanti Neurons for mobile device management. The company’s advisory points customers to patched versions and installation steps, which is why agencies and private companies are being told to patch rather than wait for more guidance. (hub.ivanti.com) (bleepingcomputer.com) Ivanti has been a repeat name in emergency cyber bulletins over the past year, and that history is part of why this alert lands hard. When the software that hands out apps, settings, and access keys is itself exposed to unauthenticated takeover, defenders treat it less like a broken app and more like a compromised master key. (bleepingcomputer.com) (unit42.paloaltonetworks.com)
