CVE-2026-1340: Ivanti EPMM Code Injection Vulnerability

Executive Summary

CVE-2026-1340 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), specifically within the Android File Transfer module. The flaw allows an unauthenticated remote attacker to inject and execute arbitrary commands on the affected server. CISA added this CVE to its Known Exploited Vulnerabilities (KEV) catalog on April 8, 2026, confirming active exploitation in the wild.

This CVE is closely associated with CVE-2026-1281, another code injection flaw in EPMM's In-House App Distribution component (CVSS 9.8), which was chained with CVE-2026-1340 in attacks against European government agencies including the Dutch Data Protection Authority, the Dutch Council for the Judiciary, the European Commission, and Finland's Valtori state ICT provider.

Vulnerability Details

Technical Root Cause

The vulnerability exploits Bash arithmetic expansion in EPMM's Android File Transfer file delivery mechanism. An unauthenticated attacker can craft a malicious request that causes the server to evaluate attacker-controlled input as a shell expression, resulting in arbitrary OS command execution under the EPMM service account.

This is the same class of vulnerability (Bash arithmetic expansion injection) as CVE-2026-1281, which targets EPMM's In-House App Distribution feature. Together, the two flaws formed a zero-day exploit chain used to breach European government agencies starting January 29, 2026 — before patches were available.

Exploitation Context

Government Breach Campaign

Threat actors exploited this vulnerability (alongside CVE-2026-1281) in a targeted campaign against European governmental organizations:

Sleeper Webshells

Researchers discovered that attackers planted webshells designed for long-term persistent access — disguised as legitimate EPMM system files and dormant until activated by specific request parameters. Organizations that applied patches without conducting forensic investigation may still be compromised.

Affected Systems

Note: Only on-premises EPMM deployments are vulnerable. Cloud-hosted Neurons for MDM is not affected.

Remediation

Immediate Actions

1. Apply Ivanti's security update — Install the latest patch as directed by Ivanti's advisory
2. Conduct forensic investigation — Patching alone is insufficient; sleeper webshells may persist
3. Search for webshells — Audit unexpected files in EPMM web directories
4. Review authentication logs — Look for unauthenticated access to Android File Transfer endpoints
5. Rotate all credentials — Change credentials accessible from the EPMM server

Network Hardening

• Restrict EPMM management interface access to trusted internal networks only
• Implement WAF rules targeting code injection patterns in EPMM endpoints
• Monitor for anomalous outbound connections from the EPMM host

CISA Directive

Per CISA's KEV policy, all U.S. federal civilian executive branch (FCEB) agencies are required to remediate this vulnerability by the CISA-specified deadline. Organizations are strongly urged to prioritize patching regardless of sector.

Detection

Look for indicators of exploitation in EPMM logs:

# Suspicious patterns in Android File Transfer endpoint logs:
- Requests with Bash arithmetic syntax: $(command), $((expr))
- Unusual HTTP method combinations on /mifs/afw/ or related paths
- Unexpected outbound network connections from the EPMM host
- New files appearing in EPMM web directories
- Scheduled tasks or cron jobs added post-deployment

Ivanti's Ongoing Vulnerability History

References

• CISA Known Exploited Vulnerabilities Catalog — CVE-2026-1340
• NVD — CVE-2026-1340
• Ivanti Security Advisory — EPMM Vulnerabilities
• The Record — EU and Dutch Government Announce Hacks Following Ivanti Zero-Days
• Tenable — CVE-2026-1281 / CVE-2026-1340 Ivanti EPMM Zero-Day Analysis