CISA warns of critical Ivanti EPMM code injection flaw exploited in attacks
4 min. read 
Published on
CISA has added a critical Ivanti Endpoint Manager Mobile vulnerability, CVE-2026-1340, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The flaw affects Ivanti EPMM and can allow unauthenticated remote code execution, which means attackers may not need valid credentials to take control of a vulnerable server.
This is a serious issue because EPMM sits in a sensitive position inside many organizations. It manages mobile devices, apps, and policies, so a compromise can expose more than one server and may let attackers affect a large fleet of corporate phones and tablets.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The immediate answer is simple: patch now if you run Ivanti EPMM on premises. CISA gave federal agencies until April 11, 2026 to act, and Ivanti says customers should install the fix without delay.
What CVE-2026-1340 does
Ivanti describes CVE-2026-1340 as a code injection flaw in Endpoint Manager Mobile that allows unauthenticated remote code execution. The company assigned it a CVSS 3.1 score of 9.8, which places it in the critical range.
CISA’s KEV entry confirms the flaw is already under active attack. That matters because KEV additions are not theoretical warnings. They mean CISA has enough evidence to treat the bug as exploited in the real world.
Ivanti’s analysis guidance says CVE-2026-1340, along with CVE-2026-1281, affects the In-House Application Distribution and Android File Transfer Configuration features in EPMM. That gives defenders a clearer idea of where to focus during triage and mitigation.
Why this flaw matters so much
EPMM is not a low-value back-office tool. Ivanti’s own product documentation says it manages the lifecycle of mobile devices and applications, including registration, policies, app distribution, and secure access to corporate resources.
That level of control makes the product a high-value target. If attackers gain code execution on an EPMM server, they may be able to access sensitive enterprise data, tamper with device management settings, or use the server as a launch point for deeper movement inside the network. This risk follows directly from the platform’s role and the severity of unauthenticated RCE.
Ivanti also says the issue affects the on-premises EPMM product and is not present in Ivanti Neurons for MDM, the company’s cloud-based unified endpoint management product, Ivanti Sentry, or other Ivanti products listed in its update.
What organizations need to do now
CISA’s required action is direct. Agencies must apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ivanti says customers using on-prem EPMM should promptly install the patch. The company also says it has mobilized support resources and worked with security partners and law enforcement as part of its response.
One important detail is timing. CISA added the flaw to KEV on April 8, 2026, and set an April 11, 2026 deadline for federal civilian executive branch agencies. That three-day window reflects the urgency attached to this bug.
Ivanti EPMM CVE-2026-1340 quick facts
| Item | Details |
|---|---|
| Vulnerability | CVE-2026-1340 |
| Product | Ivanti Endpoint Manager Mobile (EPMM) |
| Severity | Critical |
| Type | Code injection |
| Impact | Unauthenticated remote code execution |
| Exploitation status | Confirmed exploited in the wild |
| KEV added | April 8, 2026 |
| Federal due date | April 11, 2026 |
Immediate response checklist
- Patch on-prem Ivanti EPMM immediately using Ivanti’s vendor guidance.
- Review whether the affected features, including In-House Application Distribution and Android File Transfer Configuration, are exposed or enabled in your environment.
- Follow CISA’s BOD 22-01 guidance if your deployment touches cloud services.
- If you cannot mitigate right away, remove the product from service until you can secure it. CISA explicitly includes that as an option.
- Treat the flaw as an active incident risk, not as routine patching, because CISA has already confirmed exploitation.
FAQ
CVE-2026-1340 is a critical code injection flaw in Ivanti Endpoint Manager Mobile. Ivanti says it can allow attackers to achieve unauthenticated remote code execution.
Yes. CISA added it to the Known Exploited Vulnerabilities catalog on April 8, 2026, which means the agency confirmed active exploitation.
The flaw affects Ivanti Endpoint Manager Mobile on premises. Ivanti says it does not affect Ivanti Neurons for MDM, Ivanti Sentry, or the other Ivanti products referenced in its update.
Apply Ivanti’s patch or mitigations right away. If that is not possible, CISA says organizations should discontinue use of the product until they can secure it.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages