CVE-2026-1340
Description
CVE-2026-1340 is a critical 9.8 RCE vulnerability in Ivanti EPMM (up to 12.7.0.0). Actively exploited; immediate patching and mitigation are required.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| endpoint_manager_mobile | * | 12.7.0.0 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Immediately download and install the security updates provided by Ivanti, specifically the security-update RPM packages (e.g., version 1.1.0S-5 or 1.1.0L-5) designed to mitigate this code injection flaw.
Update affected systems
Upgrade all Ivanti Endpoint Manager Mobile (EPMM) instances running version 12.7.0.0 or earlier to the latest secure version specified in the Ivanti security advisory to ensure the vulnerability is fully remediated.
Restrict access
Minimize the attack surface by restricting access to EPMM management interfaces. Implement strict firewall rules to ensure only trusted IP addresses can reach the service and consider placing the product behind a VPN.
Monitor for exploitation
Actively scan for signs of compromise by reviewing system logs for unusual command execution, unauthorized file changes, or suspicious outbound network traffic originating from the EPMM server, which may indicate post-exploitation activity.
Detection Guidance
To detect potential exploitation of CVE-2026-1340, security teams should monitor web server logs for suspicious HTTP POST requests containing unexpected scripts or shell commands. Look for indicators of CWE-94 code injection, such as unusual characters or system-level commands in application input fields. Additionally, check for the creation of unauthorized web shells or new administrative users, and use network-based IDS signatures to identify unauthenticated traffic patterns targeting known EPMM vulnerabilities.