Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
Quick answer
Ivanti Endpoint Manager Mobile (EPMM) should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Review vendor advisory for affected versions.
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Treat CVE-2026-1340 as an actively exploited Ivanti Endpoint Manager Mobile (EPMM) remote code execution risk. Review every EPMM appliance or server, especially internet-accessible systems, and apply Ivanti's vendor security update for the installed 12.x branch. NVD lists the Ivanti CNA score as CVSS 9.8 and CISA KEV lists active exploitation, so unpatched exposed instances should be remediated immediately. If the update cannot be applied at once, remove public exposure, restrict access to trusted administrator networks or VPN, and investigate for compromise before returning the service to normal use.
- Inventory every Ivanti Endpoint Manager Mobile (EPMM) deployment, including public hostnames, management interfaces, and reverse-proxy paths.
- Identify systems that match the affected EPMM 12.x line and prioritize internet-facing deployments first.
- Apply the appropriate Ivanti security update package for the installed branch, using the vendor-provided 12.x.0.x RPM or 12.x.1.x RPM as applicable.
- Download Ivanti update packages only from official Ivanti or MobileIron support locations linked from the vendor advisory.
- Restrict EPMM administrative and application endpoints to trusted networks or VPN until the update is installed and verified.
- Review EPMM web, application, operating system, and EDR logs for unexpected requests, command execution, new files, new accounts, or outbound connections.
- Rotate EPMM administrator credentials, API tokens, service credentials, and related secrets if exploitation or suspicious access is suspected.
- If a system shows signs of compromise, isolate it, preserve logs and disk evidence, rebuild from a trusted source where needed, and restore only after the patched update is applied.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm each EPMM instance reports the patched 12.x.0.x RPM or 12.x.1.x RPM level that matches the installed branch.
- Confirm EPMM management and application endpoints are no longer directly reachable from the public internet unless intentionally exposed and strongly controlled.
- Check the Ivanti advisory and NVD entry again after patching to confirm no newer fixed package or follow-up action has been released.
- Review logs after remediation for continued exploit attempts or suspicious post-patch behavior.
- Run a Fixnx scan against public hostnames and management endpoints to confirm the exposed attack surface was reduced.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-1340?
Ivanti Endpoint Manager Mobile (EPMM) should be checked against the vendor advisory and trusted references linked on this page.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
