cbcvebase.
CVE-2026-1281
published 2026-01-29

CVE-2026-1281: A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-01
Exploited in the wild
EPSS
81.23%
99.6th percentile
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Affected

5 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager_mobile<= 12.5.0.0
ivantiendpoint_manager_mobile
ivantiendpoint_manager_mobile
ivantiendpoint_manager_mobile
ivantiendpoint_manager_mobile

Detection & IOCsextracted from sources · hover to see the quote

ip193[.]24[.]123[.]42
ip45[.]129[.]230[.]38
ip198[.]98[.]54[.]209
ip156[.]146[.]45[.]26
ip198[.]98[.]56[.]220
path/mifs/403.jsp
path/mi/tomcat/webapps/mifs/
filename401.jsp
filename403.jsp
filename1.jsp
path/mifs/c/appstore/fob/
path/mifs/c/aftstore/fob/
path/mi/bin/map-appstore-url
path/slt
sigma
filter log_type in ("https_request", "https_access", "http_request", "https_access") | alter ... HTTP_Request_URI ... Attempted_command_execution = arrayindex(regextract(_raw_log, "^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^=]*=)+gPath([^\s]+)"), 0)
  • CVE-2026-1281 exploits bash arithmetic expansion via the 'h' parameter containing gPath['<command>'] in HTTP GET requests to /mifs/c/appstore/fob/ endpoints; look for 'gPath' in URI query strings in EPMM logs.
  • Dormant JSP web shells (401.jsp, 403.jsp, 1.jsp) are dropped at /mi/tomcat/webapps/mifs/ and require a specific trigger parameter to activate; scan for unexpected JSP files in that directory.
  • Reconnaissance sleep-command probing: if an HTTP connection to the EPMM endpoint hangs for exactly five seconds before returning a 404, the attacker has confirmed RCE. Alert on anomalously delayed 404 responses from EPMM.
  • The dominant exploitation source IP (193.24.123.42, PROSPERO OOO AS200593) is absent from widely circulated IOC lists; defenders relying solely on published IOC blocklists may miss 83% of observed exploitation traffic.
  • Published Windscribe VPN IOC IPs for this campaign show zero Ivanti EPMM exploitation; their /24 subnet targets Oracle WebLogic on port 7001 instead. Do not rely on those IOCs for Ivanti detection.
  • ·CVE-2026-1281 affects the legacy bash script at /mi/bin/map-appstore-url used by Apache RewriteMap for the In-House Application Distribution feature; CVE-2026-1340 affects a separate script (map-aft-store-url) for the Android File Transfer mechanism — both share the same root cause (unsafe bash script usage) but are distinct components.
  • ·Ivanti's patch (RPM 12.x.0.x or RPM 12.x.1.x, version-specific not vulnerability-specific) requires no downtime; organizations should also review appliances for signs of pre-patch exploitation, as dormant backdoors may persist after patching.
  • ·The exploitation campaign is primarily cataloging vulnerable targets via OAST DNS callbacks rather than immediately deploying payloads; compromised systems may appear unaffected while hosting dormant sleeper shells awaiting a trigger.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.