Cyber Resilience

CVE-2026-1340

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 29 January 2026

Published
29 January 2026
Modified
09 April 2026
KEV Added
08 April 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8404 99.7th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-1340 is a critical-severity Code Injection (CWE-94) vulnerability in Ivanti Endpoint Manager Mobile. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1340 is a code injection vulnerability, tracked under CWE-94, affecting Ivanti Endpoint Manager Mobile. The flaw carries a CVSS 3.1 base score of 9.8 and permits unauthenticated remote code execution on the affected mobile endpoint management platform.

An attacker with network access can send specially crafted input to trigger the injection, executing arbitrary code without authentication or user interaction. Successful exploitation grants full confidentiality, integrity, and availability impact on the target system.

Ivanti has published a security advisory addressing CVE-2026-1340 alongside a related issue, while CISA lists the vulnerability in its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and mandating timely remediation for federal agencies.

The associated EPSS score reached a peak of 0.7582 on 2026-04-17 before receding to its current value of 0.7387, indicating sustained exploitation interest following disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

CWE(s)
KEV Date Added
08 April 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-1340 enables unauthenticated remote code execution via code injection in a public-facing Ivanti EPMM server, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1281Same product: Ivanti Endpoint Manager Mobileboth on KEV
CVE-2026-6973Same product: Ivanti Endpoint Manager Mobileboth on KEV
CVE-2026-5788Same product: Ivanti Endpoint Manager Mobile
CVE-2026-5787Same product: Ivanti Endpoint Manager Mobile
CVE-2026-7821Same product: Ivanti Endpoint Manager Mobile
CVE-2024-10644Same vendor: Ivanti
CVE-2025-0282Same vendor: Ivantiboth on KEV
CVE-2026-5786Same product: Ivanti Endpoint Manager Mobile
CVE-2026-1603Same vendor: Ivantiboth on KEV
CVE-2025-49704Shared CWE-94both on KEV

Affected Assets

ivanti
endpoint manager mobile
≤ 12.7.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to block the specially crafted payloads that trigger code injection and unauthenticated RCE.

prevent

Enforces access-control decisions on every execution path, preventing the unauthenticated code paths exploited by this vulnerability.

prevent

Mandates timely application of vendor patches for the known code-injection flaw listed in CISA KEV.

References