A critical code injection flaw in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated attackers to achieve remote code execution over the network, and CISA has confirmed it is being actively exploited in the wild.
What Is It
CVE-2026-1340 is a code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile. According to NVD, the flaw allows attackers to achieve unauthenticated remote code execution. It carries a CVSS 3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges or user interaction required, and full impact to confidentiality, integrity, and availability.
Why It Matters
CISA added CVE-2026-1340 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-08, confirming active exploitation. EPMM sits at the boundary of enterprise mobile device management, so a pre-auth RCE on an internet-exposed instance gives an attacker an immediate foothold into managed mobile fleets and the surrounding management plane. Known ransomware campaign use is listed as "Unknown" by CISA, but the KEV listing alone places this on the must-patch tier for federal agencies and any organization following BOD 22-01.
What's Vulnerable
Per NVD's CPE configuration, the vulnerability affects:
cpe:2.3:a:ivanti:endpoint_manager_mobile:*, all versions up to and including 12.7.0.0
Any internet-accessible EPMM instance at or below that version should be treated as exposed.
Patch Status
CISA's required action: apply mitigations per Ivanti's instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The CISA due date was 2026-04-11. CISA also instructs defenders to check all internet-accessible Ivanti products for signs of potential compromise before and after applying fixes. Ivanti has published security update RPMs (ivanti-security-update-1761642-1.1.0S-5 and -1.1.0L-5) referenced in the KEV notes.