CVE-2026-1340

Published Jan 29, 2026

Last updated 12 days ago

Exploit knownCVSS critical 9.8
Ivanti Endpoint Manager Mobile
IoT
VPN
Mobile device

Overview

Description
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Source
3c1d8aa1-5a33-4ea4-8992-aadd6440af75
NVD status
Analyzed
Products
endpoint_manager_mobile

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Exploit added on
Apr 8, 2026
Exploit action due
Apr 11, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CWE-94

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Microsoft SharePoint Server Improper Input Validation VulnerabilityCVE-2026-32201
  2. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  3. strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.CVE-2026-25075
  4. A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.CVE-2026-4252
  5. A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.CVE-2026-4251

References

Sources include official advisories and independent security research.