CISA gives feds four days to patch Ivanti flaw exploited as zero-day

The Cybersecurity and Infrastructure Security Agency issued a mandatory patching directive requiring U.S. federal agencies to address a high-severity zero-day vulnerability in Ivanti Endpoint Manager Mobile within four days. This deadline reflects active exploitation in the wild by threat actors.

The vulnerability affects Ivanti EPMM, a widely deployed mobile device management solution used across government and enterprise networks. Federal agencies face binding compliance requirements under CISA's emergency patching orders, making this among the most time-sensitive remediation tasks agencies handle.

The four-day window is significantly compressed compared to standard patching timelines. CISA typically allows longer periods for vulnerability fixes, making this directive a clear indicator that the threat level warrants immediate action. The zero-day status means Ivanti released patches before full public disclosure, but malicious actors already possessed working exploits.

Ivanti EPMM manages sensitive endpoints across organizations, including mobile devices that access classified or controlled information. Compromise of these systems could grant attackers persistence, lateral movement capabilities, or data exfiltration pathways. Federal agencies using EPMM face elevated risk if patches remain undeployed.

The vulnerability joins a growing list of critical Ivanti flaws exploited in recent months. The company's software has experienced multiple high-severity vulnerabilities affecting Connect Secure VPN gateways and other products. This pattern suggests either concentrated attacker interest in Ivanti infrastructure or vulnerabilities reflecting systemic coding issues.

Federal agencies must inventory affected EPMM deployments, test patches in controlled environments, and deploy fixes across their infrastructure within the compressed timeline. Large agencies with thousands of endpoints face logistical challenges meeting the four-day deadline while maintaining system stability.

Non-federal organizations using EPMM should treat this CISA directive as a template for their own remediation schedules. Although the order binds only