CISA Adds Critical Ivanti Endpoint Manager Mobile RCE Vulnerability to Known Exploited List

CISA KEV Alert: Actively Exploited Ivanti EPMM Flaw (CVE-2026-1340) Allows Full Server Takeover

CRITICAL
April 14, 2026
May 10, 2026
6m read
VulnerabilityPatch ManagementCyberattack

Related Entities(initial)

Organizations

CISA Ivanti

Products & Tech

Ivanti Endpoint Manager MobileMobileIron Core

CVE Identifiers

CVE-2026-1340
CRITICAL
CVSS:9.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1059.001Execution

PowerShell

T1505.003Persistence

Web Shell

T1475Impact

Push Malicious App

Full Report(when first published)

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability, tracked as CVE-2026-1340, is a code injection flaw with a CVSS score of 9.8 out of 10. It allows an unauthenticated remote attacker to execute arbitrary code on the server, leading to a complete system compromise. Due to concrete evidence of active exploitation in the wild, CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog. This action requires U.S. Federal Civilian Executive Branch (FCEB) agencies to patch their systems by a specified deadline and serves as a critical alert to all organizations using this product to remediate immediately.

Vulnerability Details

  • CVE ID: CVE-2026-1340
  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Impact: Full compromise of confidentiality, integrity, and availability of the server.

The vulnerability is a code injection flaw, which means an attacker can send a specially crafted request to a vulnerable EPMM server and trick the application into executing malicious code. Because it is unauthenticated and requires no user interaction, it is a 'wormable' type of vulnerability, where an attacker could potentially create a program to automatically scan the internet for vulnerable servers and compromise them.

Affected Systems

  • Product: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core
  • Affected Versions: 12.5 through 12.7

Organizations using these versions are at immediate risk of compromise. EPMM is a Mobile Device Management (MDM) solution, and its compromise could give attackers control over all connected mobile devices, access to sensitive data, and a powerful foothold within the corporate network.

Exploitation Status

CISA has confirmed that CVE-2026-1340 is being actively exploited in the wild. While specific details of the attacks or the threat actors involved have not been publicly released, the inclusion in the KEV catalog indicates that CISA has reliable intelligence of ongoing malicious activity. Threat actors frequently target vulnerabilities in edge devices like MDM servers because they are internet-facing and provide a gateway to the internal network.

Impact Assessment

A successful exploit of CVE-2026-1340 would be catastrophic for an organization. The attacker would gain full administrative control of the Ivanti EPMM server. From there, they could:

  • Push malicious applications or profiles to all enrolled mobile devices (T1475 - Push Malicious App).
  • Wipe devices or steal sensitive data from them.
  • Use the compromised server as a pivot point to attack the internal network.
  • Intercept corporate communications and data flowing through managed devices.
  • Deploy ransomware across the network.

Cyber Observables for Detection

Security teams should hunt for signs of compromise in their EPMM server logs.

Type
url_pattern
Value
Unusual API endpoints or parameters
Description
Monitor web server logs for requests to non-standard URLs or requests containing suspicious-looking payloads in the parameters or body.
Type
process_name
Value
w3wp.exe (Windows) or httpd (Linux)
Description
Look for these web server processes spawning anomalous child processes, such as cmd.exe, powershell.exe, or /bin/sh.
Type
file_path
Value
Web server directories (e.g., C:\inetpub\wwwroot\)
Description
Monitor for the creation of new, unexpected files (e.g., .aspx, .jsp, .php webshells) in web-accessible directories.
Type
network_traffic_pattern
Value
Outbound connections from EPMM server
Description
The EPMM server should generally not be initiating outbound connections to arbitrary IP addresses on the internet. Such activity is highly suspicious.

Detection Methods

  • D3FEND: Process Analysis: Use an EDR solution to monitor the process activity on the Ivanti EPMM server. A key detection strategy is to look for the main web service process spawning shell commands. This is a classic indicator of a web vulnerability being exploited and is a direct application of D3-PA: Process Analysis.
  • D3FEND: Network Traffic Analysis: Analyze firewall and NetFlow logs for any unexpected outbound connections originating from the EPMM server. This could indicate a reverse shell or a connection to a C2 server. This aligns with D3-NTA: Network Traffic Analysis.
  • Log Review: Scrutinize the Ivanti EPMM application and web server logs for errors or entries that coincide with the timeframe of potential exploitation. Look for large or unusually formatted requests that could represent an exploit attempt.

Remediation Steps

  1. PATCH IMMEDIATELY: The top priority is to apply the security updates provided by Ivanti for all affected versions of EPMM. This is the only way to fully remediate the vulnerability.
  2. Assume Compromise: If you were running a vulnerable version, you must assume the server has been compromised. The server should be isolated from the network and a forensic investigation should be initiated to determine if attackers gained a foothold.
  3. Hunt for Malice: Use the observables and detection methods listed above to actively hunt for signs of compromise on your EPMM server and within your network.
  4. Review Accounts and Configurations: If a compromise is suspected, all administrative credentials associated with the EPMM should be reset, and a full audit of the device profiles and configurations should be performed to look for malicious changes.

Timeline of Events

1
April 13, 2026
CISA adds CVE-2026-1340 to its Known Exploited Vulnerabilities (KEV) catalog.
2
April 14, 2026
This article was published

Article Updates

May 10, 2026

Ivanti discloses new EPMM RCE (CVE-2026-6973) actively exploited and chainable with prior unauthenticated flaws like CVE-2026-1340, increasing overall compromise risk.

Update Sources:
securityboulevard.comIvanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
defion.securityThreat Intelligence | DEFION Security

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to apply the security patches provided by Ivanti immediately.

Filter Network Traffic

M1037enterprise

Restrict outbound network connections from the EPMM server to only what is absolutely necessary, to block C2 communication.

Behavior Prevention on Endpoint

M1040enterprise

Use EDR to monitor for suspicious process creation, such as a web server spawning a shell.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The most urgent and critical action for any organization using Ivanti Endpoint Manager Mobile is to apply the security patches released by Ivanti that address CVE-2026-1340. Given that this is a critical, unauthenticated RCE that is being actively exploited, patching cannot be delayed. Organizations must activate their emergency patching procedures. This involves identifying all vulnerable EPMM instances, testing the patch in a non-production environment if possible (though the urgency may require direct deployment), and applying the update immediately. Verification steps should be taken post-patch to ensure the update was successful and the service is running correctly. For a vulnerability of this severity on an internet-facing system, the acceptable time-to-patch is measured in hours, not days or weeks. This is the only definitive way to close the vulnerability.

Outbound Traffic Filtering

D3-OTFMaps to MITREM1031
D3FEND

As a critical compensating control and detection mechanism, organizations must implement strict outbound traffic filtering for their Ivanti EPMM servers. An internet-facing server like an MDM should have a very predictable and limited set of required outbound connections (e.g., to Apple/Google push notification services, Ivanti's own cloud services). All other outbound traffic should be denied by default at the firewall. By implementing an egress allow-list, you can prevent a compromised server from establishing a reverse shell or connecting to an attacker's command-and-control (C2) infrastructure. Any connection attempt to a destination not on the allow-list should generate a high-priority alert. This control can be the difference between a contained server compromise and a full network breach, as it effectively severs the attacker's ability to command the implant or exfiltrate data.

Timeline of Events

1
April 13, 2026

CISA adds CVE-2026-1340 to its Known Exploited Vulnerabilities (KEV) catalog.

Sources & References(when first published)

13th April – Threat Intelligence Report
Check Point Research (research.checkpoint.com) April 13, 2026
Known Exploited Vulnerabilities Catalog
CISA (cisa.gov) April 13, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CVE-2026-1340IvantiMobileIronCISAKEVRCEVulnerabilityZero-Day

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.