CVE-2026-1340

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager Mobile versions prior to v12.1.0.2 or v11.12.0.1.

Description Ivanti Endpoint Manager Mobile (EPMM) contains a code injection flaw that allows attackers to achieve unauthenticated remote code execution (RCE). This vulnerability allows an attacker to bypass login and execute arbitrary code on the system. The vulnerability is actively exploited in the wild, with automated scanners targeting vulnerable systems. Approximately 950 systems are currently exposed. The vulnerability exists in a legacy API endpoint (/mifs/services/) where improper input sanitization allows attackers to inject commands using backticks (```) or semicolons (;) within a POST request. The EPMM service runs with high privileges, enabling attackers to gain control of the server. This represents a supply-chain compromise of the mobile perimeter, potentially allowing attackers to push malicious updates to managed devices and exfiltrate sensitive data.

Recommendations Update to version v12.1.0.2 or v11.12.0.1 or later. If unable to patch immediately, shut down the management interface (ports 443/8443). Audit web logs for suspicious POST requests to /mifs/services/ containing shell metacharacters. Scan for newly created .jsp or .php files in the /mifs/ web directories. Inspect the Admin Portal for unauthorized administrators or modified security policies.