Which versions of Ivanti EPMM are affected by CVE-2026-1340?

Versions up to and including 12.7.0.0 are affected by this vulnerability.

How can organizations mitigate the risks associated with CVE-2026-1340?

Organizations should apply the latest patches provided by Ivanti to remediate this vulnerability and prevent potential exploitation.

Critical Vulnerability in Ivanti EPMM: CVE-2026-1340

A newly discovered code injection vulnerability in Ivanti Endpoint Manager Mobile poses significant security risks. Learn about CVE-2026-1340 and how to protect your organization.

Published: April 9, 2026

Share this on:

Executive Summary

In January 2026, a critical code injection vulnerability, CVE-2026-1340, was discovered in Ivanti Endpoint Manager Mobile (EPMM). This flaw allows unauthenticated remote code execution, enabling attackers to execute arbitrary code on affected systems without authentication. The vulnerability affects EPMM versions up to and including 12.7.0.0. Exploitation of this vulnerability can lead to complete system compromise, data theft, and potential lateral movement within enterprise networks. (sentinelone.com)

The inclusion of CVE-2026-1340 in CISA's Known Exploited Vulnerabilities Catalog underscores the urgency for organizations to address this issue promptly. (datacomm.com)

Why This Matters Now

The active exploitation of CVE-2026-1340 highlights the critical need for organizations to patch vulnerable systems immediately. Delayed remediation increases the risk of unauthorized access, data breaches, and operational disruptions.

Attack Path Analysis

An unauthenticated attacker exploited a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) to gain remote code execution. This initial access allowed the attacker to escalate privileges within the EPMM system, potentially obtaining administrative control. Leveraging this control, the attacker moved laterally to other systems managed by EPMM. The attacker established command and control channels to maintain persistent access. Sensitive data was exfiltrated from compromised systems. The attack culminated in significant operational disruption and potential data loss.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

An unauthenticated attacker exploited a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) to gain remote code execution.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-1340
CVSS 9.8
A code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows unauthenticated remote code execution.
Affected Products:
Ivanti Endpoint Manager Mobile – up to 12.7.0.0
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-1340 https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1059

Command and Scripting Interpreter

Persistence

T1078

Valid Accounts

Discovery

T1083

File and Directory Discovery

Discovery

T1046

Network Service Scanning

Lateral Movement

T1021

Remote Services

Defense Evasion

T1562

Impair Defenses

Impact

T1485

Data Destruction

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2

The exploitation of CVE-2026-1340 indicates a failure to apply critical security patches in a timely manner, exposing systems to known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the organization's cybersecurity policy, particularly in vulnerability management and incident response planning.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights deficiencies in the ICT risk management framework, failing to identify and mitigate risks associated with unpatched vulnerabilities.

CISA ZTMM 2.0 – Applications and Workloads

Control ID: Pillar 3

The successful exploitation of the vulnerability indicates a lack of robust security controls within applications and workloads, undermining zero trust principles.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reflects insufficient implementation of cybersecurity risk management measures, particularly in the timely application of security patches and updates.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

CISA KEV vulnerability CVE-2026-1340 in Ivanti EPMM creates critical code injection risks for federal agencies managing mobile device endpoints and security policies.

Information Technology/IT

Ivanti Endpoint Manager Mobile vulnerability enables code injection attacks against IT infrastructure, requiring immediate remediation for mobile device management and security operations.

Health Care / Life Sciences

Code injection vulnerability in mobile endpoint management systems threatens HIPAA compliance and patient data security across healthcare mobile device deployments.

Financial Services

Mobile endpoint management vulnerability poses significant risks to financial institutions' PCI compliance and encrypted traffic security for mobile banking applications.

Sources

CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2026/04/08/cisa-adds-one-known-exploited-vulnerability-catalog
Verified

NVD - CVE-2026-1340https://nvd.nist.gov/vuln/detail/CVE-2026-1340

Verified

Security Advisory: Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1281, CVE-2026-1340https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340

Verified

Frequently Asked Questions

CVE-2026-1340 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile that allows unauthenticated remote code execution, potentially leading to full system compromise.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been constrained by limiting unauthorized communications and enforcing strict access controls.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict identity-based access controls and segmenting administrative functions.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely have been constrained by monitoring and controlling east-west traffic between workloads.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of command and control channels may have been limited by providing comprehensive visibility and control over network communications.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The exfiltration of sensitive data would likely have been constrained by enforcing strict egress policies and monitoring outbound traffic.

Impact (Mitigations)

The overall impact of the attack may have been reduced by limiting the attacker's ability to move laterally and exfiltrate data.

Impact at a Glance

Affected Business Functions

Mobile Device Management
Security Compliance

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive corporate data managed by mobile devices.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement and limit the attacker's ability to access other systems.
• Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts of known vulnerabilities.
• Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities promptly.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Ensure all systems are updated with the latest security patches to mitigate known vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerability in Ivanti EPMM: CVE-2026-1340

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-1340

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Command and Scripting Interpreter

Valid Accounts

File and Directory Discovery

Network Service Scanning

Remote Services

Impair Defenses

Data Destruction

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Applications and Workloads

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Government Administration

Information Technology/IT

Health Care / Life Sciences

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads