CVE-2026-1340: CWE-94 Improper Control of Generation of Code ('Code Injection') in Ivanti Endpoint Manager Mobile
CVE-2026-1340 is a critical vulnerability in Ivanti Endpoint Manager Mobile involving improper control of code generation, classified as CWE-94 (Code Injection). This flaw allows unauthenticated attackers to execute arbitrary code remotely. The vulnerability has a CVSS 3. 1 base score of 9. 8, indicating high impact on confidentiality, integrity, and availability. No patch or official remediation information is currently available. There are no known exploits in the wild at this time. The affected versions are unspecified, and the product is not a cloud service.
AI Analysis
Technical Summary
CVE-2026-1340 describes a code injection vulnerability in Ivanti Endpoint Manager Mobile that enables unauthenticated remote code execution. The weakness stems from improper control over code generation, allowing attackers to inject and execute arbitrary code without authentication. The vulnerability is rated critical with a CVSS score of 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or vendor advisory details are currently provided, and no known exploits have been reported.
Potential Impact
Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on affected systems without authentication, potentially leading to full system compromise, data loss, or service disruption. The critical CVSS score reflects the severe impact on confidentiality, integrity, and availability of the affected product.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should monitor Ivanti's security advisories for updates. Given the lack of patch or workaround information, applying network-level protections such as restricting access to the affected service may help reduce exposure.
CVE-2026-1340: CWE-94 Improper Control of Generation of Code ('Code Injection') in Ivanti Endpoint Manager Mobile
Description
CVE-2026-1340 is a critical vulnerability in Ivanti Endpoint Manager Mobile involving improper control of code generation, classified as CWE-94 (Code Injection). This flaw allows unauthenticated attackers to execute arbitrary code remotely. The vulnerability has a CVSS 3. 1 base score of 9. 8, indicating high impact on confidentiality, integrity, and availability. No patch or official remediation information is currently available. There are no known exploits in the wild at this time. The affected versions are unspecified, and the product is not a cloud service.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-1340 describes a code injection vulnerability in Ivanti Endpoint Manager Mobile that enables unauthenticated remote code execution. The weakness stems from improper control over code generation, allowing attackers to inject and execute arbitrary code without authentication. The vulnerability is rated critical with a CVSS score of 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patch or vendor advisory details are currently provided, and no known exploits have been reported.
Potential Impact
Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on affected systems without authentication, potentially leading to full system compromise, data loss, or service disruption. The critical CVSS score reflects the severe impact on confidentiality, integrity, and availability of the affected product.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should monitor Ivanti's security advisories for updates. Given the lack of patch or workaround information, applying network-level protections such as restricting access to the affected service may help reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ivanti
- Date Reserved
- 2026-01-22T14:59:56.988Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 697bd7ddac06320222bd31a9
Added to database: 1/29/2026, 9:57:49 PM
Last enriched: 4/15/2026, 12:34:38 PM
Last updated: 5/10/2026, 1:31:37 PM
Views: 165
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.