CVE-2026-1340

CriticalCISA KEVActive Exploitation

Published: 29 January 2026

Published

29 January 2026

Modified

09 April 2026

KEV Added

08 April 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.6681 98.6th percentile

Risk Priority 80 60% EPSS · 20% KEV · 20% CVSS

Description

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of software flaws like CVE-2026-1340 via patching to prevent unauthenticated remote code execution.

SI-10 Information Input Validation good match

prevent

Enforces validation of information inputs to directly counter code injection vulnerabilities such as CVE-2026-1340 at network entry points.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify systems affected by CVE-2026-1340, enabling prioritized remediation before exploitation.

Security SummaryAI

CVE-2026-1340 is a code injection vulnerability (CWE-94) affecting Ivanti Endpoint Manager Mobile (EPMM). Published on 2026-01-29, it enables unauthenticated remote code execution on vulnerable systems. The flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact across confidentiality, integrity, and availability.

Any network-accessible attacker can exploit CVE-2026-1340 without authentication, privileges, or user interaction, and with low attack complexity. Successful exploitation allows remote code execution, potentially compromising the EPMM server and enabling full control over the affected endpoint management infrastructure.

Ivanti's security advisory (covering CVE-2026-1281 and CVE-2026-1340) provides details on the issue for EPMM. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog, urging federal agencies to patch promptly. Practitioners should review these advisories for available patches and mitigation guidance.

Its inclusion in CISA's KEV catalog indicates real-world exploitation is occurring.

Details

CWE(s): CWE-94
KEV Date Added: 08 April 2026

Affected Products

ivanti

endpoint manager mobile

≤ 12.7.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-1340 enables unauthenticated remote code execution via code injection in a public-facing Ivanti EPMM server, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1340
Third Party Advisory, US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0