CISA Warning: Critical Ivanti EPMM Code Injection Vulnerability Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities (KEV) Catalog. This flaw, tracked as CVE-2026-1340, carries a severe CVSS score of 9.8 and is currently being exploited by malicious actors to achieve unauthenticated remote code execution on enterprise mobile management servers.

The vulnerability allows an attacker to inject and execute malicious code without needing valid credentials or prior access to the system. This type of flaw is a “frequent attack vector for malicious cyber actors” because it provides a direct path to full system compromise.

Affected products include multiple versions of Ivanti EPMM:

• Version 12.5.0.0 and prior
• Version 12.6.0.0 and prior
• Version 12.7.0.0 and prior
• Version 12.5.1.0 and prior
• Version 12.6.1.0 and prior

Ivanti has released specific RPM security updates to address the flaw. Customers are urged to apply the correct patch based on their current software version:

• For Versions 12.5.0.x, 12.6.0.x, and 12.7.0.x: Apply RPM 12.x.0.x (Security Update 1761642-1.1.0S-5). This patch is also compatible with versions 12.3.0.x and 12.4.0.x.
• For Versions 12.5.1.0 and 12.6.1.0: Apply RPM 12.x.1.x (Security Update 1761642-1.1.0L-5).

Ivanti notes that “no downtime is required to apply this patch,” but importantly, “the RPM script does not survive a version upgrade”. If an appliance is upgraded to a new version after the patch is applied, the RPM must be reinstalled. A permanent fix is scheduled for the upcoming 12.8.0.0 release later in Q1 2026.

To help organizations assess potential impact, Ivanti has also released an Exploitation Detection RPM package. This tool scans the appliance for “specific indicators related to known malicious activity”.

Security teams should review the resulting log files, typically located in the /log directory of the SHOWTECH logs, for any suspicious behavior observed prior to patching. Ivanti warns that while the tool is high-fidelity, “the absence of indicators does not confirm the system has not been impacted”.

In light of these developments, Federal Civilian Executive Branch (FCEB) agencies have been mandated to remediate the flaw by April 11, 2026, to protect federal networks.