CISA Orders Federal Agencies to Patch Ivanti Zero-Day Flaw in 4 Days
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring federal civilian agencies to patch a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) within four days. The directive comes as active exploitation of the flaw has been detected in the wild, marking the second zero-day vulnerability in Ivanti software to be weaponized this year. CISA Director Jen Easterly warned that failure to comply could result in serious compromise of federal networks.
The vulnerability, tracked as CVE-2024-29824, affects Ivanti EPMM versions before 11.12.0 and allows authenticated administrators to execute arbitrary commands through the mobile device management interface. Security researchers at Volexity identified active exploitation where threat actors chained this flaw with a previous authentication bypass vulnerability (CVE-2023-46805) to achieve full system compromise. The attack chain enables remote code execution without user interaction, making it particularly dangerous for organizations with internet-facing Ivanti instances.
CISA's directive mandates that affected agencies apply the latest security patches by the deadline or implement compensating controls if immediate patching is not feasible. Ivanti has released version 11.12.0 of EPMM to address the vulnerability, and administrators are urged to update immediately given the active exploitation status. The agency has also added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate according to binding operational directive requirements.
This marks the second time this year that Ivanti's enterprise mobile management software has been targeted by zero-day exploits, following similar attacks in January that affected multiple government agencies and critical infrastructure sectors. Security experts recommend organizations disable unnecessary EPMM services, implement network segmentation, and review access logs for suspicious activity while the patching process is underway.