Critical Ivanti EPMM Zero-Days Trigger Mass Exploitation Wave

In early 2026, two critical zero-day vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — began driving a significant surge in incident activity targeting organizations across multiple sectors. Both flaws affect Ivanti Endpoint Manager Mobile (EPMM), a widely deployed mobile device management (MDM) platform. Rated CVSS 9.8 (Critical), these vulnerabilities allow unauthenticated remote code execution (RCE), enabling threat actors to compromise exposed appliances and pivot into broader enterprise environments. Ivanti disclosed the vulnerabilities on January 29, 2026, alongside emergency mitigation guidance. The German Federal Office for Information Security (BSI) subsequently issued a public warning, urging operators to apply mitigations and use updated detection scripts to assess potential compromise.

How the Vulnerabilities Work

Both CVE-2026-1281 and CVE-2026-1340 are pre-authentication Remote Command Execution vulnerabilities rooted in unsafe handling of attacker-controlled input within server-side Bash scripts. The core issue is a shell-evaluation bug: an internet-exposed EPMM web endpoint forwards portions of an incoming HTTP request into a script, and due to how Bash evaluates input, that data can be interpreted and executed as shell commands.

The two vulnerable Bash scripts at the center of exploitation are:

  • /mi/bin/map-appstore-url
  • /mi/bin/map-aft-store-url

Both scripts are invoked when specific HTTP endpoints matching the following pattern are requested:

/mifs/c/appstore/fob/3/<int>/sha256:<something1>/<something2>.ipa

A working exploit request looks like this:

/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue,et=1337133713,h=gPath[`sleep 5`]/e2327851-1e09-4463-9b5a-b524bc71fc07.ipa

The st parameter is crafted to correspond to an existing variable name in the Bash script. At a specific point during execution, the value of theValue is evaluated as a Bash expression. In the example above, gPath[`sleep 5`] causes Bash to execute the inner command sleep 5 while attempting to calculate an array index — substituting any attacker-supplied command in place of sleep 5 results in arbitrary command execution. Critically, no authentication is required at any stage. Any actor with network connectivity to an exposed EPMM appliance can exploit these flaws.

Observed Attacker Behavior: Initial Exploitation and RCE Validation

During incident response engagements across multiple customer environments, investigators identified consistent exploitation patterns targeting the vulnerable EPMM endpoints. Initial activity focused on validating successful RCE, with injected commands embedded directly in GET parameters. Commonly observed commands included:

  • id, whoami, and hostname — basic environment fingerprinting
  • passwd and ps — credential and process enumeration
  • wget — payload retrieval and staging
  • echo-based output redirection — confirming command output
  • sleep and true — timing and execution control for blind injection confirmation
  • rm — cleanup of temporary artifacts

In several cases, command output was redirected into web-accessible paths beneath the Tomcat webroot, including:

  • /mi/.../webapps/mifs/403.jsp
  • /mi/.../webapps/mifs/401.jsp
  • /mi/.../webapps/mifs/css/*.css

Writing command output to web-accessible directories is a strong indicator of successful code execution rather than passive scanning. Additionally, DNS-based Out-of-Band (OAST) callback validation was observed, with repeated dig commands targeting attacker-controlled domains executed in short intervals — a technique used to confirm execution in environments where direct HTTP responses may be filtered or suppressed.

Webshell Deployment: Establishing Persistent Access

A particularly concerning post-exploitation behavior was the deployment of JSP webshells within Tomcat web application directories. Investigators identified a recurring marker string associated with in-memory Java class loader webshells:

class U extends ClassLoader

This pattern is characteristic of a well-known in-memory webshell technique that loads malicious Java classes at runtime, avoiding file-based detection on disk. Observed behavior indicates that attackers first checked for the presence of existing webshells before deploying their own — suggesting coordinated or experienced threat actors performing environment reconnaissance prior to establishing persistence.

A Saturated Threat Landscape

Since the initial vulnerability disclosure, the threat landscape around CVE-2026-1281 and CVE-2026-1340 has become highly saturated. Multiple independent threat actors and botnets have adopted the exploit, creating a significant level of background noise that complicates attribution. The rapid weaponization of publicly available exploit examples accelerated this broadening of the attacker pool — a pattern increasingly common with high-severity pre-authentication vulnerabilities in enterprise network edge products.

Given this environment, defenders should treat any unpatched or unmitigated Ivanti EPMM appliance as potentially already compromised, particularly those exposed to the internet.

Detection and Response Guidance

Organizations running Ivanti EPMM should take the following steps immediately:

  • Apply Ivanti's emergency patches released alongside the January 29, 2026 disclosure without delay.
  • Run the updated BSI detection scripts and review published indicators of compromise (IOCs) to assess whether exploitation has occurred.
  • Audit web-accessible directories under the Tomcat webroot for unexpected JSP files or modified CSS files that may contain webshell artifacts.
  • Review HTTP access logs for requests matching the /mifs/c/appstore/fob/3/ endpoint pattern with anomalous parameter values.
  • Monitor DNS logs for unexpected outbound lookups to unknown domains originating from EPMM appliances — a sign of OAST-style callback activity.
  • Isolate appliances from the broader network if compromise is suspected and engage incident response resources before attempting remediation.

Conclusion

CVE-2026-1281 and CVE-2026-1340 represent a high-severity, actively exploited attack surface that demands urgent attention from any organization relying on Ivanti EPMM for mobile device management. The combination of a trivial pre-authentication exploit path, rapid mass adoption by multiple threat actors, and confirmed post-exploitation persistence activity — including in-memory webshell deployment — makes this one of the most pressing enterprise vulnerability events of early 2026. Organizations that have not yet patched, assessed for compromise, or isolated affected appliances should treat this as a critical incident response priority.