Source: watchTowr Labs
Two actively exploited pre-authentication remote code execution vulnerabilities have been discovered in Ivanti’s Endpoint Manager Mobile (EPMM), a platform widely deployed by enterprises to manage mobile device fleets across iOS and Android environments. The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
What Makes This Dangerous
The vulnerabilities stem from a clever exploitation of Bash arithmetic expansion in Apache RewriteMap scripts. Attackers can reach unauthenticated endpoints that pass user-controlled input directly to Bash scripts—specifically /mi/bin/map-appstore-url and /mi/bin/map-aft-store-url.
The exploit leverages an obscure Bash behavior: when a variable is treated as an array and the index contains command substitution, the shell executes that command. By crafting malicious HTTP requests to the app store endpoint, attackers can inject OS commands that execute with server privileges.
Technical Details
The vulnerable endpoint accepts requests like:
GET /mifs/c/appstore/fob/3/[int]/sha256:[payload]/[file].ipaThrough manipulation of the st (start time) and h (hash) parameters, attackers can trigger arithmetic expansion that executes arbitrary commands. The payload uses variable indirection combined with command substitution:
gPath[`id > /mi/poc`]Patch Status: “Patches-With-Commitment-Issues”
Ivanti has released interim RPM patches that require reapplication after any system changes—a permanent fix is expected in version 12.8.0.0 in Q1 2026. The patches replace the vulnerable Bash scripts with Java implementations, completely removing the attack surface.
Affected Versions
All versions of Ivanti EPMM prior to the patched release are vulnerable. Organizations running EPMM should:
- Apply the interim security patches immediately
- Monitor for indicators of compromise
- Review access logs for suspicious app store endpoint requests
- Plan for patch reapplication after any system updates
Why This Matters
Ivanti EPMM manages mobile devices across enterprise environments, often holding credentials and policies for entire corporate fleets. A pre-auth RCE in this platform gives attackers a direct path to:
- Mobile device management infrastructure
- Corporate app distribution systems
- Policy enforcement mechanisms
- Potential lateral movement into managed devices
The fact that these vulnerabilities are already being exploited in the wild makes immediate patching critical for any organization running Ivanti EPMM.
