CISA Warns of Critical Ivanti EPMM Code Injection Vulnerability Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical security flaw in Ivanti Endpoint Manager Mobile (EPMM).

The agency recently added this flaw, tracked as CVE-2026-1340, to its Known Exploited Vulnerabilities (KEV) catalog after confirming it is being actively exploited in real-world cyberattacks.

This means the software fails to restrict or sanitize the code it processes properly. The flaw is exceptionally severe because it allows remote threat actors to achieve unauthenticated remote code execution (RCE).

In practical terms, a hacker does not need a valid username or password to exploit this weakness. By sending specially crafted requests to a vulnerable Ivanti EPMM server, attackers can force the system to run malicious commands.

Ivanti EPMM Code Injection Vulnerability

This grants them deep administrative control over the targeted machine, enabling them to steal sensitive data, deploy malware, or move laterally across the corporate network.

Mobile device management solutions like Ivanti EPMM are particularly high-value targets. Because these systems hold elevated privileges on corporate smartphones and tablets, a compromised server could allow attackers to alter security policies or push malicious configurations to thousands of employee devices simultaneously.

While CISA has confirmed that attackers are currently exploiting CVE-2026-1340, specific details about the victims or the threat actors involved remain scarce.

At this time, it is unknown whether the vulnerability is actively being weaponized in ransomware campaigns. However, due to the complete system access it provides, the flaw is highly attractive to advanced persistent threat (APT) groups and financial cybercriminals alike.

CISA added this vulnerability to the KEV list on April 8, 2026, and mandated a rapid response. Federal Civilian Executive Branch (FCEB) agencies are required to secure their networks by April 11, 2026.

While this strict three-day deadline falls under the Binding Operational Directive (BOD) 22-01 for federal agencies, CISA strongly urges all private-sector organizations to adopt the same aggressive timeline.

Administrators must apply all available patches and mitigations in accordance with Ivanti’s vendor instructions.

Organizations utilizing cloud-based deployments should also verify they are following the relevant BOD 22-01 guidance for cloud services. Finally, CISA advises that if an organization cannot apply the required mitigations, it must immediately disconnect and discontinue use of the Ivanti EPMM product until a fix can be safely implemented.