THE U.S. Cybersecurity and Infrastructure Security Agency has added a flaw in Ivanti EPMM to its Known Exploited Vulnerabilities (KEV) catalog, tracked as CVE-2026-35616 and CVE-2026-1340, with a CVSS score of 9.8. The critical vulnerability is a code injection in Ivanti Endpoint Manager Mobile that allows attackers to achieve unauthenticated remote code execution.
The affected versions listed include Ivanti Endpoint Manager Mobile 12.5.0[.]0 and prior, 12.6.0[.]0 and prior, 12.7.0[.]0 and prior; and Ivanti Endpoint Manager Mobile 12.5.1[.]0 and prior, 12.6.1[.]0 and prior, with corresponding affected and resolved CPEs. The software firm notes a very limited number of customers have been exploited at disclosure, but a proof-of-concept was made available shortly after.
CISA and Ivanti urge immediate patching and the use of the Exploitation Detection RPM to help identify potential compromises, while noting that detection tools do not guarantee safety. Federal agencies are to fix the vulnerability by 11 April 2026, in line with Binding Operational Directive 22-01.