CISA Orders Federal Agencies to Patch Critical Ivanti Vulnerability by Sunday
AI-generated from multiple sources. Verify before acting on this reporting.
WASHINGTON — The Cybersecurity and Infrastructure Security Agency (CISA) has directed all U.S. federal agencies to apply a security patch for a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) software by Sunday. The directive follows confirmed exploitation of the flaw in cyberattacks targeting government systems since January.
The order, issued Tuesday, mandates immediate remediation for the high-severity issue affecting the mobile management platform used across federal networks. CISA officials stated the vulnerability poses a significant risk to federal information systems and requires urgent action to prevent unauthorized access or data compromise.
Ivanti EPMM is widely deployed within the federal sector to manage mobile devices and applications. The vulnerability allows attackers to execute code remotely, potentially granting control over managed endpoints. Security experts warn that the flaw has been actively exploited in the wild, with incidents first detected in early 2026.
Federal agencies are required to verify patch deployment and report compliance status to CISA within 48 hours of the deadline. Non-compliant agencies face potential restrictions on network access until remediation is complete. The directive applies to all executive branch departments and agencies, including those with classified or sensitive information systems.
The vulnerability was assigned a critical severity rating by the National Vulnerability Database. Ivanti released a security advisory and patch earlier this week, urging customers to update their systems immediately. The vendor stated the flaw affects specific versions of EPMM and does not impact all deployments.
CISA emphasized that the patch must be applied across all affected environments, including those operating in air-gapped or restricted networks. The agency provided technical guidance and mitigation strategies for agencies unable to patch immediately, recommending network segmentation and enhanced monitoring as temporary measures.
This directive marks the latest in a series of emergency cybersecurity actions taken by the federal government in response to evolving threats. Previous incidents involving Ivanti software have prompted similar urgent patching orders, highlighting the ongoing challenge of securing complex enterprise systems.
Questions remain regarding the full scope of exploitation and whether any federal agencies have already been compromised. CISA has not disclosed the number of confirmed incidents or the identity of any targeted agencies. The agency continues to monitor the situation and may issue additional guidance as new information becomes available.
Federal cybersecurity officials are coordinating with private sector partners to ensure widespread awareness of the vulnerability. The private sector is also advised to assess their Ivanti EPMM deployments and apply the available patch to mitigate potential risks.
The deadline for federal agencies to comply with the directive is Sunday at 11:59 p.m. Eastern Time. CISA will assess compliance and take enforcement actions as necessary to protect federal networks from further exploitation.