Changeflow GovPing Data Privacy & Cybersecurity CVE-2026-1340 Ivanti EPMM Code Injection Vulner...
Priority review Notice Added Final

CVE-2026-1340 Ivanti EPMM Code Injection Vulnerability Added to KEV Catalog

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published
Detected
Email

Summary

CISA added CVE-2026-1340, an Ivanti Endpoint Manager Mobile (EPMM) code injection vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability poses significant risk as a frequent attack vector for malicious cyber actors targeting federal enterprises. Federal Civilian Executive Branch agencies are required to remediate vulnerabilities identified in the KEV Catalog pursuant to BOD 22-01.

View original document View source feed page

What changed

CISA added one new vulnerability, CVE-2026-1340 affecting Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities Catalog. The addition was based on evidence of active exploitation, indicating ongoing attacks against this code injection vulnerability. BOD 22-01 establishes the KEV Catalog as a living list of CVEs carrying significant risk to the federal enterprise.

Organizations should prioritize immediate remediation given active exploitation status. Federal agencies face mandatory remediation timelines under BOD 22-01. CISA strongly urges all organizations to treat KEV Catalog vulnerabilities as priority items in their vulnerability management programs to reduce exposure to cyberattacks.

What to do next

  1. Federal agencies must remediate CVE-2026-1340 by the due date specified in BOD 22-01
  2. All organizations should prioritize timely remediation of this KEV catalog vulnerability
  3. Update vulnerability management practices to address active exploitation risks

Archived snapshot

Apr 8, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Alert

CISA Adds One Known Exploited Vulnerability to Catalog

Release Date

April 08, 2026

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2026-1340 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Named provisions

Known Exploited Vulnerabilities Catalog

Related changes

Favicon for www.cisa.gov Ivanti EPMM Code Injection Vulnerability CVE-2026-1340
Urgent Apr 09, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov Fortinet FortiClient EMS Improper Access Control Vulnerability Added to KEV Catalog
Urgent Apr 06, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov TrueConf Client Vulnerability - Arbitrary Code Execution via Updates
Urgent Apr 03, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity

Get daily alerts for CISA ICS-CERT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The plain-English summary, classification, and "what to do next" steps are AI-generated from the original text. Cite the source document, not the AI analysis.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 8th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
BOD 22-01

Who this affects

Applies to
Government agencies Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability remediation Patch management Mobile device security
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy National Security

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 292 Consumer Protection 44 Courts & Legal 360 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 101 Environment 85 Environmental Permits 1 Environmental Regulation 8 Government & Legislation 278 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Legal 1 Legislative 1 Pharma & Drug Safety 104 Public Health 3 Securities & Markets 104 Securities Regulation 9 Tax 66 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.