What happened

CISA added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-08, signaling active exploitation in the wild CISA KEV. The entry describes unauthenticated remote code execution (RCE) as the impact of the flaw, which elevates the urgency of remediation for exposed deployments CISA KEV. The CVE is classified under CWE-94 (Improper Control of Generation of Code), indicating an attacker-controlled code path can be injected and executed NVD CVE-2026-1340.

Per KEV policy, U.S. federal civilian agencies must apply mitigations or discontinue use if mitigations are unavailable by the specified due date, which for this entry is 2026-04-11, aligned to BOD 22-01 directives CISA KEV. The MITRE CVE record provides canonical identification details for tracking and inventory correlation across environments MITRE CVE.

Why it matters

Inclusion in KEV means exploitation has been observed or reliably reported against real targets, so defenders should treat scanning and exploitation attempts as current, not hypothetical CISA KEV. Unauthenticated RCE collapses the attack chain to a single request against a reachable service, which materially lowers the barrier to mass exploitation and makes time-to-patch the dominant risk variable CISA KEV. CWE-94 vulnerabilities are routinely leveraged to run arbitrary code with the privileges of the vulnerable service, enabling lateral movement, data access, and persistent footholds NVD CVE-2026-1340.

For agencies under BOD 22-01 and enterprises mirroring its guidance, KEV inclusion triggers prioritized remediation workflows, asset discovery validation, and executive-level tracking of closure by the listed due date CISA KEV. The combination of pre-auth reachability and code injection semantics justifies emergency change windows and temporary exposure reduction until mitigations are in place NVD CVE-2026-1340.

Technical detail

The vulnerability is categorized as CWE-94, where untrusted input participates in code generation or evaluation without sufficient validation, allowing an attacker to inject instructions that the application subsequently executes NVD CVE-2026-1340. CISA’s description states that exploitation can result in unauthenticated remote code execution, implying the vulnerable path is accessible without valid user credentials and that successful injection yields arbitrary command execution in the target context CISA KEV. As with most code injection defects, a successful exploit typically involves crafting inputs that traverse parsing or templating logic to reach a dynamic execution sink, resulting in attacker-controlled code paths NVD CVE-2026-1340.

Because this entry resides in KEV, defenders should assume exploit reliability is sufficient for opportunistic campaigns, including automated scanning and wormable propagation across similarly exposed instances CISA KEV. The MITRE record ensures consistent correlation across scanners, SIEMs, and ticketing systems by anchoring the canonical CVE identifier used in advisories and feeds MITRE CVE.

Defense

• Remediate on an emergency basis: apply vendor mitigations where available and discontinue use if mitigations are unavailable, meeting the KEV due date of 2026-04-11 per BOD 22-01 CISA KEV.
• Prioritize assets exposed to untrusted networks, given the pre-auth RCE characterization and CWE-94 profile, which maximize exploitability from external vantage points NVD CVE-2026-1340.
• Temporarily reduce attack surface by restricting access to the affected management service (e.g., VPN or IP allowlisting) while rolling out fixes, as a compensating control against unauthenticated reachability CISA KEV.
• Intensify monitoring for exploitation indicators consistent with RCE, such as anomalous requests, unexpected child processes of the EPMM service, and outbound connections following inbound requests, aligned to CWE-94 execution patterns NVD CVE-2026-1340.
• Validate inventory and exposure: confirm all instances mapped to CVE-2026-1340 in asset and vulnerability systems using the canonical CVE to avoid blind spots in remediation tracking MITRE CVE.

Agencies should follow CISA’s directive to apply mitigations per vendor instructions and, where necessary, discontinue use, aligning program governance with KEV-driven prioritization and reporting CISA KEV.

Lyrie Verdict

CVE-2026-1340 is a pre-auth code injection route to RCE, which is ideal for high-speed automated exploitation once a target is discovered, as highlighted by its KEV status CISA KEV. Lyrie’s position: treat this as a bot-amplified threat surface and enforce autonomous controls that operate faster than operator reaction time. Concretely, deploy machine-speed inspection for injection payloads mapped to CWE-94 semantics, auto-correlate anomalous request→process→egress sequences, and quarantine impacted services pending verification—closing the window between first exploit attempt and containment NVD CVE-2026-1340. We tie remediation tracking to the CVE identifier to block re-exposure and confirm closure within KEV timelines, ensuring the system defends against rogue-AI-driven spraying and adaptive payloads without waiting for manual triage MITRE CVE.