cbcvebase.
CVE-2026-1340
published 2026-01-29

CVE-2026-1340: A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-04-11
Exploited in the wild
EPSS
84.04%
99.7th percentile
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager_mobile<= 12.7.0.0

Detection & IOCsextracted from sources · hover to see the quote

ip193[.]24[.]123[.]42
ip45[.]129[.]230[.]38
ip198[.]98[.]54[.]209
ip156[.]146[.]45[.]26
ip198[.]98[.]56[.]220
path/mifs/c/aftstore/fob/
path/mifs/403.jsp
path/mi/tomcat/webapps/mifs/
filename401.jsp
filename403.jsp
filename1.jsp
path/mi/bin/map-aft-store-url
path/slt
sigma
filter log_type in ("https_request", "https_access", "http_request", "https_access") | alter ... HTTP_Request_URI ... Attempted_command_execution = arrayindex(regextract(_raw_log, "^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^=]*=)+gPath([^\s]+)"), 0)
  • CVE-2026-1340 exploits the bash script at map-aft-store-url via HTTP GET requests to /mifs/c/aftstore/fob/ endpoints. Monitor for GET requests to this URI prefix on EPMM appliances.
  • Look for the gPath parameter in HTTP request URIs in EPMM logs, which is the injection vector for command execution in both CVE-2026-1281 and CVE-2026-1340.
  • 85% of exploitation payloads use OAST DNS callbacks to verify command execution (blind RCE verification). Detect outbound DNS queries from EPMM servers to unknown/random subdomains as a sign of successful exploitation.
  • Dormant JSP web shells (401.jsp, 403.jsp, 1.jsp) are deployed at /mi/tomcat/webapps/mifs/. Scan for unexpected JSP files in this directory, especially those requiring a specific trigger parameter to activate.
  • Attackers use sleep commands (e.g., sleep 5) as a time-based blind RCE check. A 5-second delay before a 404 response on EPMM endpoints is a strong indicator of successful RCE.
  • The dominant exploitation source IP 193[.]24[.]123[.]42 (PROSPERO OOO, AS200593) is absent from widely circulated IOC lists. Block and alert on traffic from this IP and AS200593 on EPMM-facing infrastructure.
  • Published IOC lists for this campaign include Windscribe VPN exit node IPs that show zero Ivanti EPMM exploitation activity; those IPs are scanning Oracle WebLogic on port 7001. Do not rely solely on circulated IOC lists for detection.
  • ·CVE-2026-1340 and CVE-2026-1281 share the same root cause (unsafe bash script usage) but reside in two distinct scripts handling different features (map-appstore-url vs. map-aft-store-url). Patches are version-specific, not vulnerability-specific — apply the correct RPM for your EPMM version.
  • ·Dormant web shells are designed to survive patching. Organizations should review their EPMM appliances for signs of compromise even after applying the patch, as backdoors may already be present.
  • ·The sleeper shells at /mifs/403.jsp require a specific trigger parameter to activate and show no follow-on exploitation at time of reporting. Compromised systems may appear unaffected while the implant waits.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.