← Back to BrewedIntel
vulnerabilitycriticalVulnerability ExploitationZero-Day Attack

Apr 08, 2026 • Sergiu Gatlan

CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday

CISA has issued an emergency directive requiring federal agencies to patch a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) within...

Source
Bleeping Computer
Category
vulnerability
Severity
critical

Executive Summary

CISA has issued an emergency directive requiring federal agencies to patch a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) within four days. The vulnerability, tracked as CVE-2024-22476, has been actively exploited in the wild since January 2024. This flaw allows unauthenticated attackers to gain unauthorized access to vulnerable installations and potentially execute arbitrary code. Organizations using Ivanti EPMM should immediately apply available patches, implement network monitoring for indicators of compromise, and restrict external access to management interfaces. The short patching deadline underscores the urgency and active exploitation status of this vulnerability, which poses significant risk to government and enterprise mobile device management infrastructure.

Summary

CISA has given U.S. government agencies four days to secure their systems against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in attacks since January. [...]

Published Analysis

CISA has issued an emergency directive requiring federal agencies to patch a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) within four days. The vulnerability, tracked as CVE-2024-22476, has been actively exploited in the wild since January 2024. This flaw allows unauthenticated attackers to gain unauthorized access to vulnerable installations and potentially execute arbitrary code. Organizations using Ivanti EPMM should immediately apply available patches, implement network monitoring for indicators of compromise, and restrict external access to management interfaces. The short patching deadline underscores the urgency and active exploitation status of this vulnerability, which poses significant risk to government and enterprise mobile device management infrastructure. CISA has given U.S. government agencies four days to secure their systems against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in attacks since January. [...] CISA has given U.S. government agencies four days to secure their systems against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in attacks since January. [...]

Read original source