John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
CISA added CVE-2026-1340 to the Known Exploited Vulnerabilities catalog on April 8. Pre-auth code injection in Ivanti EPMM. CVSS 9.8. Exploited since at least January. Patched January 29, which means attackers had 73 days before federal agencies even had a deadline.
If you haven’t patched, that deadline is tonight.
But the patch isn’t really the story. The story is 33.
Thirty-three Ivanti vulnerabilities are now on the CISA KEV catalog. Twelve have been exploited by ransomware groups. The list spans Connect Secure, Policy Secure, EPMM, multiple product lines, multiple years. Chinese state actors. Emergency directives. Repeated rounds of “patch this right now or isolate it.”
None of this makes Ivanti uniquely evil. But 33 is a specific number with a specific track record. If your organization’s vendor risk process doesn’t have a threshold at which accumulated KEV entries trigger a formal evaluation, this week is a good time to set one.
One catch: the EPMM RPM patch doesn’t survive a version upgrade. If you patched and then upgraded, you need to reinstall it. Permanent fix isn’t until 12.8.0.0. Run the Exploitation Detection RPM too. At 73 days, assume possible compromise first, then patch.
The full technical rundown and why 33 has to mean something beyond another patch advisory