CVE-2026-1340
Summary
| CVE | CVE-2026-1340 |
|---|---|
| State | PUBLISHED |
| Assigner | ivanti |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-29 22:15:53 UTC |
| Updated | 2026-04-09 14:03:31 UTC |
| Description | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.644290000 probability, percentile 0.984550000 (date 2026-04-21)
CISA KEV: Listed on 2026-04-08; due 2026-04-11; ransomware use Unknown
Problem Types: CWE-94 | CWE-94 CWE-94 Improper Control of Generation of Code ('Code Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA Known Exploited Vulnerability
| Vendor | Ivanti |
|---|---|
| Product | Endpoint Manager Mobile (EPMM) |
| Name | Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability |
| Required Action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| Notes | Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as possible. For more information please see: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US ; https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0S-5.noarch.rpm ; https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0L-5.noarch.rpm ; https://nvd.nist.gov/vuln/detail/CVE-2026-1340 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ivanti | Endpoint Manager Mobile | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Ivanti | Endpoint Manager Mobile | unaffected 12.x.1.x RPM custom | Not specified |
| CNA | Ivanti | Endpoint Manager Mobile | unaffected 12.x.0.x RPM custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EP... | 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 | forums.ivanti.com | Vendor Advisory |
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | Third Party Advisory, US Government Resource |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-08T00:00:00.000Z | CVE-2026-1340 added to CISA KEV |
There are currently no legacy QID mappings associated with this CVE.