CVE-2026-1340

CRITICAL KEV

Ivanti Endpoint Manager Mobile - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-1340 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 8, 2026. EIP tracks 3 public exploits from researchers including MehdiLeDeaut, watchTowr, sfewer-r7, including a Metasploit module exploits/linux/http/ivanti_epmm_rce.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-1281/1340, targeting Ivanti EPMM. It includes multiple payloads for remote command execution, reverse shells, webshells, persistence mechanisms, and data exfiltration, demonstrating a clear understanding of the vulnerability.

Description

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Exploits (3)

github WORKING POC 2 stars
by MehdiLeDeaut · pythonremote
https://github.com/MehdiLeDeaut/CVE-2026-1281-Ivanti-EPMM-RCE

This repository contains functional exploit code for CVE-2026-1281/1340, targeting Ivanti EPMM. It includes multiple payloads for remote command execution, reverse shells, webshells, persistence mechanisms, and data exfiltration, demonstrating a clear understanding of the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti EPMM
No auth needed
Prerequisites: Network access to the target Ivanti EPMM instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/YunfeiGE18/CVE-2026-1281-CVE-2026-1340-Ivanti-EPMM-RCE

This repository contains a functional exploit PoC for CVE-2026-1340, demonstrating a pre-auth RCE vulnerability in Ivanti EPMM via Bash arithmetic expansion behavior. The exploit leverages command substitution in array indices to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti EPMM
No auth needed
Prerequisites: Docker environment to run the dummy target · Network access to the vulnerable Ivanti EPMM instance
devstral-2 · analyzed Feb 28, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by watchTowr, sfewer-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_epmm_rce.rb

This Metasploit module exploits an OS command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) to achieve unauthenticated remote code execution with root privileges. It uses a crafted HTTP request to inject commands via the 'h' parameter in the URI.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Endpoint Manager Mobile (EPMM) (formerly MobileIron) versions prior to 11.4.0.0
No auth needed
Prerequisites: Network access to the target system · Target system running a vulnerable version of Ivanti EPMM
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.7387
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-04-08
VulnCheck KEV 2026-02-04
ENISA EUVD EUVD-2026-4936
CWE
CWE-94
Status published
Products (3)
Ivanti/Endpoint Manager Mobile 12.x.0.x RPM
Ivanti/Endpoint Manager Mobile 12.x.1.x RPM
ivanti/endpoint_manager_mobile < 12.7.0.0
Published Jan 29, 2026
KEV Added Apr 08, 2026
Tracked Since Feb 18, 2026