CISA Flags Second Critical Ivanti EPMM Flaw as Actively Exploited

CISA Adds CVE-2026-1340 to Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added a second critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. The flaw, tracked as CVE-2026-1340, is a code injection vulnerability that enables unauthenticated remote code execution — one of the most dangerous vulnerability classes in enterprise software. Federal civilian executive branch (FCEB) agencies were given until April 11, 2026 to apply mitigations, underscoring the urgency of the threat.

What Is CVE-2026-1340 and Why Does It Matter?

CVE-2026-1340 is a code injection flaw residing in Ivanti EPMM, a widely deployed mobile device management (MDM) platform used by government agencies and enterprises to manage and secure endpoint devices. The vulnerability carries a CVSS severity score of 9.8 out of 10, placing it in the critical tier.

What makes this flaw particularly dangerous is that it requires no authentication to exploit. An attacker with network access to a vulnerable EPMM instance can achieve remote code execution, potentially allowing them to take full control of the underlying system, exfiltrate data, deploy malware, or pivot deeper into an organization's network.

This is not an isolated incident. CVE-2026-1340 closely mirrors CVE-2026-1281, a similar code injection vulnerability that Ivanti disclosed simultaneously in late January 2026 and which was immediately added to the KEV catalog at that time. Both vulnerabilities share the same critical severity score and the same exploitation mechanism.

A Timeline of Disclosure and Exploitation

Understanding the timeline helps illustrate how quickly these vulnerabilities moved from disclosure to active exploitation:

Late January 2026: Ivanti disclosed both CVE-2026-1340 and CVE-2026-1281. CVE-2026-1281 was immediately added to the KEV catalog. Ivanti released an RPM package as an immediate mitigation — requiring no downtime and applying in seconds.
Shortly after disclosure: Exploitation began after a proof-of-concept (PoC) was publicly released. Ivanti confirmed awareness of a "very limited number" of impacted customers at that time.
February 2026: The European Commission and Dutch authorities announced investigations into incidents tied to both vulnerabilities.
March 18, 2026: Ivanti released EPMM version 12.8, fully resolving both vulnerabilities and introducing additional security hardening features.
April 9, 2026: CISA formally added CVE-2026-1340 to the KEV catalog, with a remediation deadline of April 11 for federal agencies.

Thousands of Exploitation Attempts Reported

Security researchers have raised questions about the timing of CISA's KEV catalog update, noting that exploitation of CVE-2026-1340 has been ongoing for months. CISA did not provide specific reasoning for the delayed classification but linked to its general guidance on how vulnerabilities are evaluated for KEV inclusion.

"It's been repeatedly exploited literally thousands of times since it was disclosed." — Simo Kohonen, Founder and CEO, Defused

Multiple independent security researchers corroborated this assessment, stating they had not observed any notable spike in recent threat activity that would explain the timing of the catalog update. The implication is clear: organizations that had not yet patched CVE-2026-1340 have been exposed to a sustained, high-volume threat campaign for months.

International Investigations and Coordinated Response

The scope of impact extends well beyond U.S. borders. Both the European Commission and Dutch authorities launched formal investigations in February 2026 into incidents linked to CVE-2026-1340 and CVE-2026-1281. Notably, Ivanti worked with the National Cyber Security Centre (NCSC) of the Netherlands to develop detection scripts and indicators of compromise (IoCs), which were made available to the security community alongside technical analysis.

This level of international coordination reflects the severity of the vulnerabilities and the breadth of their impact on government and enterprise environments across multiple countries.

What Ivanti Has Provided to Affected Organizations

Ivanti has taken a multi-step approach to helping customers remediate and detect compromise:

Immediate mitigation: An RPM package released at the time of disclosure that applies in seconds with no system downtime.
Indicators of compromise (IoCs): Published to help organizations determine if they were targeted.
Technical analysis: Detailed documentation of the vulnerability's behavior and exploitation patterns.
Detection script: Developed in partnership with the Dutch NCSC to help organizations identify signs of exploitation.
Full patch — EPMM version 12.8: Released March 18, 2026, fully resolving both vulnerabilities along with additional hardening improvements.

An Ivanti spokesperson emphasized that the company recommends all users upgrade to version 12.8 as the definitive remediation step.

What Organizations Should Do Right Now

Whether or not your organization falls under CISA's FCEB mandate, the addition of CVE-2026-1340 to the KEV catalog is a strong signal that immediate action is warranted. Here are the recommended steps:

Upgrade to Ivanti EPMM version 12.8 immediately if you have not already done so.
Apply the RPM mitigation package as a stopgap if upgrading is not immediately feasible.
Run Ivanti's detection script (co-developed with the Dutch NCSC) to check for signs of prior compromise.
Review the published IoCs and correlate them against your SIEM, EDR, and network logs.
Audit internet-exposed EPMM instances and restrict access where possible pending full remediation.
Report any confirmed compromise to CISA and relevant national authorities.

The Broader Pattern: Ivanti Under the Spotlight

CVE-2026-1340 is the latest in a string of high-severity vulnerabilities affecting Ivanti products that have drawn significant attention from threat actors and government agencies alike. The pattern of rapid PoC-to-exploitation cycles observed with Ivanti flaws highlights the critical importance of applying patches promptly and treating MDM infrastructure as high-value attack surface that demands priority hardening.

The fact that a vulnerability with thousands of documented exploitation attempts required months to formally enter the KEV catalog also raises important questions about detection and reporting pipelines — both for vendors and the broader security community.

Conclusion: Patch Now, Investigate Thoroughly

The CISA KEV listing of CVE-2026-1340 is both a call to action and a reminder of the persistent threat landscape surrounding enterprise MDM platforms. With a CVSS score of 9.8, unauthenticated remote code execution capability, and a confirmed history of mass exploitation, this vulnerability demands immediate attention from every organization running Ivanti EPMM. Upgrading to version 12.8 is the definitive fix — but organizations should also conduct thorough forensic investigations to determine whether they were among the thousands of targets already hit.

Stay current with CISA's Known Exploited Vulnerabilities catalog and establish processes to prioritize KEV-listed flaws for rapid remediation. In today's threat environment, days of delay can mean the difference between a near-miss and a full-scale breach.