🔴 CRITICAL
Severity Overview
- CVSS Base Score: 9.8
- Severity: CRITICAL
- CVSS Version: 3.1
- Priority: Critical priority
Summary
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Analyst Takeaway
This vulnerability is already in CISA KEV, which means exploitation has been observed in the wild and the issue should be treated as active risk rather than theoretical exposure. The CVSS score places this in critical territory, so internet-facing systems and high-value assets should be prioritized for immediate remediation or compensating controls. Ivanti Endpoint Manager Mobile (EPMM) is associated with technology that is commonly deployed in enterprise environments, so defenders should assume a higher probability of broad target interest and prioritize validation across the environment. The ATT&CK mapping suggests public-facing exploitation risk, so external exposure validation should be part of immediate triage. In parallel with patching, defenders should review external exposure, hunt for signs of exploitation, and validate whether compensating controls are in place for vulnerable assets.
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
Rationale: The product appears likely to be internet-facing or commonly exposed in enterprise environments.
Detection Guidance
-
T1190 – Exploit Public-Facing Application
- Inspect web server, reverse proxy, load balancer, and WAF logs for abnormal requests.
- Look for unusual requests to uncommon URIs, exploit strings, or suspicious POST activity.
- Monitor for spikes in HTTP 4xx/5xx responses that may indicate probing or failed exploitation attempts.
- Review outbound connections from affected servers for unexpected command-and-control or secondary payload retrieval.
- Validate which internet-facing assets are running the vulnerable product and whether compensating controls exist.
Hunting Considerations
- Search SIEM and EDR data for activity aligned to the mapped ATT&CK techniques.
- Correlate endpoint, network, identity, and application telemetry for signs of exploitation and post-exploitation behavior.
- Prioritize internet-facing systems, externally reachable management interfaces, and assets handling sensitive data.
- Investigate unexpected process creation, service changes, outbound connections, or authentication anomalies on affected hosts.
Key Details
- CVE: CVE-2026-1340
- Vendor: Ivanti
- Product: Endpoint Manager Mobile (EPMM)
- CWE: CWE-94
- Date Added to CISA KEV: 2026-04-08
- CISA Due Date: 2026-04-11
- Known Ransomware Campaign Use: Unknown
Technical Severity Details
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Why This Matters
This vulnerability is included in CISA’s Known Exploited Vulnerabilities catalog, which means exploitation has been observed in the wild. Based on the available NVD scoring, this issue should be treated as critical priority.
Recommended Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional Notes
Please adhere to Ivanti’s guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as possible. For more information please see: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US ; https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0S-5.noarch.rpm ; https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0L-5.noarch.rpm ; https://nvd.nist.gov/vuln/detail/CVE-2026-1340