CVE-2026-1340 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that enables unauthenticated remote code execution (RCE). The flaw has been confirmed as actively exploited and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating immediate risk to exposed systems.
The vulnerability is particularly dangerous due to its network exposure and lack of authentication requirements, making any internet-facing EPMM instance a viable target.
For full details, please read the advisory from Ivanti.
Affected Versions
The vulnerability impacts multiple EPMM versions across supported branches:
- 12.5.0.0 and prior
- 12.5.1.0 and prior
- 12.6.0.0 and prior
- 12.6.1.0 and prior
- 12.7.0.0 and prior
Ivanti has released patched versions under updated RPM builds (12.x.0.x / 12.x.1.x).
Observed Threat Activity
Ivanti confirmed that exploitation occurred in the wild prior to public disclosure, affecting a limited number of customers.
Shortly after disclosure, a public proof-of-concept (PoC) was released, significantly increasing the likelihood of broader exploitation. The inclusion in CISA’s KEV catalog and the mandated remediation timeline further indicate that this vulnerability is already being operationalized by threat actors.
Technical Details
The flaw allows attackers to inject and execute arbitrary code on vulnerable EPMM servers without authentication. This provides immediate control over the system and removes traditional access barriers.
Given the role of EPMM as a mobile device management platform, successful exploitation can lead to:
- Full takeover of the EPMM server
- Access to managed devices and enterprise configurations
- Credential exposure and identity-based pivoting
Ivanti released an RPM-based detection tool to identify known indicators of compromise. However, this tool is limited to known patterns and cannot confirm the absence of compromise, requiring additional log analysis and validation.
Impact Assessment
This vulnerability should be treated as critical and potentially pre-compromise if the system was exposed.
EPMM sits in a privileged position within enterprise environments, managing devices, policies, and access. As a result, compromise can extend beyond a single system and enable attackers to move laterally, maintain persistence, and target identity infrastructure.
Recommended Actions
Immediate action:
- Patch all affected EPMM instances immediately
- Prioritize internet-facing deployments
Validation:
- Run Ivanti’s RPM detection tool (available here)
- Review historical logs for suspicious activity prior to patching
Key focus areas during investigation:
- Unexpected command execution on EPMM hosts
- Anomalous administrative activity
- Suspicious outbound connections or lateral movement indicators
Stay Safe. Stay Secure
OP Innovate Research Team
