CISA Issues Emergency Patch Mandate for Ivanti EPMM Zero-Day
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities (KEV) catalog and issued a binding directive giving U.S. federal civilian agencies four days to secure their networks.
The vulnerability is being actively exploited in zero-day attacks, prompting one of CISA's tightest remediation windows of the year. Under the terms of the Binding Operational Directive (BOD) 22-01, federal agencies subject to CISA oversight must patch or apply mitigations by the mandated deadline or request an exception through the agency.
What Is the Vulnerability?
The flaw affects Ivanti Endpoint Manager Mobile, a widely deployed mobile device management (MDM) solution used by government agencies, healthcare organizations, and enterprises worldwide to manage and secure employee devices.
CISA's KEV listing confirmed that the vulnerability is being actively leveraged by threat actors in real-world attacks — a designation the agency reserves for flaws with confirmed in-the-wild exploitation evidence, not merely theoretical risk.
Ivanti has a well-documented history of critical vulnerabilities in its remote access and endpoint management products. The company's Connect Secure VPN appliances were the subject of multiple emergency patch directives in recent years, making Ivanti infrastructure a persistent high-value target for nation-state and financially motivated threat actors alike.
Why Four Days?
CISA's standard KEV remediation window is either three weeks or a specific date aligned to the next Patch Tuesday cycle. A four-day deadline signals that CISA has assessed active exploitation to be severe and widespread enough to warrant emergency action.
The compressed timeline is consistent with CISA's approach to zero-day vulnerabilities where exploitation is confirmed before patches are universally available — the agency has imposed similarly short windows for Citrix, Fortinet, and Microsoft zero-days in 2025 and 2026.
Who Is Affected?
The mandatory directive applies to U.S. federal civilian executive branch (FCEB) agencies. However, CISA strongly encourages all organizations running Ivanti EPMM to treat the advisory as an urgent priority. State and local governments, critical infrastructure operators, and private-sector organizations using EPMM are urged to patch immediately.
Organizations at Risk
- Federal agencies running Ivanti EPMM for mobile device management
- Healthcare systems using Ivanti MDM for HIPAA-compliant device management
- Enterprises with large mobile device fleets managed through EPMM
- Managed service providers offering Ivanti-based MDM to clients
Recommended Actions
- Apply Ivanti's patch immediately. Check the Ivanti Security Advisories portal for the specific patch addressing this vulnerability.
- Review EPMM access logs for signs of exploitation — unusual API calls, authentication anomalies, or unexpected admin account activity.
- Isolate EPMM management interfaces from direct internet exposure if patching cannot happen immediately.
- Enable multi-factor authentication on all EPMM administrative accounts.
- Monitor CISA's KEV catalog for updates on exploitation scope and additional indicators of compromise.
Ivanti's Track Record
This latest advisory continues a pattern of critical vulnerabilities in Ivanti's product line. In 2024 and 2025, Ivanti's Connect Secure and Policy Secure products were the subject of widespread exploitation by Chinese state-sponsored threat actors and ransomware groups. Ivanti has since committed to increased transparency and accelerated patch cycles, but the company's products continue to appear in CISA emergency directives with regularity.
Security teams managing Ivanti infrastructure should consider implementing enhanced monitoring, periodic credential rotation, and network segmentation as standing compensating controls — not just in response to individual CVEs.