(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – April 9, 2026

Author: Chase Snow

Created: Thursday, April 9, 2026 - 15:40

Categories: Cybersecurity, Security Preparedness

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
CVSS 3.1: 9.8
CVEs: CVE-2026-1340
Description: A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. CISA has added these vulnerabilities to its KEV catalog.
Original Source: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
Additional Reading

CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday

Fortinet FortiClient EMS Improper Access Control Vulnerability
CVSS 3.1: 9.1
CVE: CVE-2026-35616
Description: A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. CISA added this vulnerability to its KEV catalog.
Source: https://fortiguard.fortinet.com/psirt/FG-IR-26-099

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ
CVSS: N/A
CVE: CVE-2026-34197
Description: Improper Input Validation, Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console.
Source: https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt
Additional Reading:

13-year-old bug in ActiveMQ lets hackers remotely execute commands