CVE-2026-1340
Published: 29 January 2026
Summary
CVE-2026-1340 is a critical-severity Code Injection (CWE-94) vulnerability in Ivanti Endpoint Manager Mobile. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1340 is a code injection vulnerability, tracked under CWE-94, affecting Ivanti Endpoint Manager Mobile. The flaw carries a CVSS 3.1 base score of 9.8 and permits unauthenticated remote code execution on the affected mobile endpoint management platform.
An attacker with network access can send specially crafted input to trigger the injection, executing arbitrary code without authentication or user interaction. Successful exploitation grants full confidentiality, integrity, and availability impact on the target system.
Ivanti has published a security advisory addressing CVE-2026-1340 alongside a related issue, while CISA lists the vulnerability in its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and mandating timely remediation for federal agencies.
The associated EPSS score reached a peak of 0.7582 on 2026-04-17 before receding to its current value of 0.7387, indicating sustained exploitation interest following disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4936
Vulnerability details
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
- CWE(s)
- KEV Date Added
- 08 April 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-1340 enables unauthenticated remote code execution via code injection in a public-facing Ivanti EPMM server, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to block the specially crafted payloads that trigger code injection and unauthenticated RCE.
Enforces access-control decisions on every execution path, preventing the unauthenticated code paths exploited by this vulnerability.
Mandates timely application of vendor patches for the known code-injection flaw listed in CISA KEV.