What is the CVSS score of CVE-2026-1340?

CVE-2026-1340 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 50.9%.

Which versions of Ivanti are affected by CVE-2026-1340?

A critical unauthenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (CVE-2026-1340, CVSS 9.8) poses an immediate threat to any organization using this platform.

Is there a public PoC exploit available for CVE-2026-1340?

Yes, a public proof-of-concept exploit is available for CVE-2026-1340. Prioritise patching immediately. EPSS: 50.9%.

Ivanti CVE-2026-1340

CRITICAL

Code Injection (CWE-94)

2026-01-29 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

RCE Code Injection Ivanti

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

Apr 09, 2026 - 14:03 cisa

CISA KEV

CIRCL Exploitation Confirmed

Apr 09, 2026 - 14:03 circl

CIRCL KEV

PoC Detected

Apr 09, 2026 - 14:03 vuln.today

Public exploit code

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

CVE Published

Jan 29, 2026 - 22:15 nvd

CRITICAL 9.8

DescriptionNVD

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

AnalysisAI

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to achieve remote code execution on the mobile device management server. Compromising the MDM server provides access to all managed mobile device configurations, policies, and potentially the ability to push malicious profiles to enrolled devices.

RemediationAI

Within 24 hours: Inventory all Ivanti Endpoint Manager Mobile instances, isolate affected systems from production networks if operationally feasible, and enable enhanced logging/monitoring. Within 7 days: Implement network segmentation to restrict access to management interfaces, deploy WAF rules to block exploitation attempts, and brief incident response teams on activation criteria. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory