Ivanti Endpoint Manager Mobile has a critical, actively exploited code injection vulnerability (CVE-2026-1340) that can allow unauthenticated remote code execution on Internet-exposed, unpatched appliances. CISA added the flaw to its KEV catalog, ordered federal agencies to patch by April 11 under BOD 22-01, and urged all organizations to apply Ivanti’s January 29 fixes as Shadowserver reports nearly 950 exposed EPMM IPs still online. #CVE-2026-1340 #IvantiEPMM
Keypoints
- CVE-2026-1340 is a critical code injection flaw that can lead to unauthenticated remote code execution.
- Ivanti released patches for CVE-2026-1340 and CVE-2026-1281 on January 29 and strongly urged customers to update.
- CISA added CVE-2026-1340 to its KEV Catalog and required federal agencies to patch by April 11 under BOD 22-01.
- Shadowserver is tracking about 950 Internet-exposed Ivanti EPMM IP addresses, primarily in Europe and North America.
- Ivanti has 33 vulnerabilities tagged as exploited (12 linked to ransomware) and serves over 40,000 customers worldwide.