Changeflow GovPing Data Privacy & Cybersecurity Ivanti EPMM Code Injection Vulnerability CVE-20...
Urgent Guidance Added Final

Ivanti EPMM Code Injection Vulnerability CVE-2026-1340

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Published
Detected
Email

Summary

CISA added CVE-2026-1340, a critical code injection vulnerability in Ivanti Endpoint Manager Mobile, to the Known Exploited Vulnerabilities catalog. The flaw carries a CVSS 9.8 score and allows unauthenticated remote code execution. Organizations running affected versions of Ivanti EPMM must apply patches immediately.

View original document View source feed page

What changed

CISA added CVE-2026-1340 to its Known Exploited Vulnerabilities catalog on April 8, 2026. This critical code injection vulnerability in Ivanti Endpoint Manager Mobile has a CVSS 3.1 score of 9.8 (CRITICAL) and allows unauthenticated remote code execution without any user interaction. The flaw affects versions 12.x.1.x and 12.x.0.x RPM; versions 12.x.1.x RPM and later are unaffected. SSVC analysis confirms active exploitation and automatable attack capability with total technical impact.

All organizations running affected Ivanti EPMM versions face immediate risk from threat actors who can achieve remote code execution without credentials. Federal civilian agencies are subject to BOD 22-01 requirements to remediate KEV vulnerabilities. Technology companies and government agencies using Ivanti EPMM should prioritize patching, verify external exposure, and implement compensating controls for any systems that cannot be patched immediately.

What to do next

  1. Apply available patches for Ivanti EPMM versions 12.x.1.x and 12.x.0.x immediately
  2. Audit network exposure of Ivanti EPMM instances and restrict external access
  3. Isolate or monitor unpatched instances if immediate patching is not feasible

Archived snapshot

Apr 9, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Required CVE Record Information

CNA: Ivanti

Description

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

CWE 1 Total

Learn more
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.8 | CRITICAL | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |

Product Status

Learn more Versions 2 Total

Default Status: affected

unaffected

  • unaffected at 12.x.1.x RPM

  • unaffected at 12.x.0.x RPM

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-04-09

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-01-29 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1340 (2026-04-08)

Related changes

Favicon for www.cisa.gov CVE-2026-1340 Ivanti EPMM Code Injection Vulnerability Added to KEV Catalog
Priority review Apr 08, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov STIX XML Indicators of Compromise for Threat Intelligence
Routine Apr 08, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Critical CVSS 8.8 Vulnerabilities Expose SQL Credentials in Mitsubishi Electric GENESIS64 and ICONICS Suite
Urgent Apr 08, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity

Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The plain-English summary, classification, and "what to do next" steps are AI-generated from the original text. Cite the source document, not the AI analysis.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 8th, 2026
Instrument
Guidance
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CVE-2026-1340

Who this affects

Applies to
Technology companies Government agencies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability remediation Mobile device management Remote code execution prevention
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Data Privacy Consumer Protection

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 292 Consumer Protection 44 Courts & Legal 360 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 101 Environment 85 Environmental Permits 1 Environmental Regulation 8 Government & Legislation 278 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Legal 1 Legislative 1 Pharma & Drug Safety 104 Public Health 3 Securities & Markets 104 Securities Regulation 9 Tax 66 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.