Five entries in the CISA KEV catalog in three years - so many times Ivanti EPMM demanded emergency patching as an actively used product. Four out of five CVE have EPSS-skro above 0.8, and CVE-2023-35078 holds the absolute maximum of the scale - 1.0. According to Unit 42 (Palo Alto Networks), more than 4 400 EPMM-instants stick out on the Internet. IBM X-Force Threat Intelligence Index 2025 records the average time of CVE elimination in organizations - 29 months. The arithmetic is simple: while some are patches, others are already inside.
Below is the analysis of the mechanic that APT-groups and automated bots use to turn a vulnerable MDM server into an initial access point. If you work with the infrastructure where EPMM stands, read carefully, there is something to do right today.
Why Ivanti EPMM is a priority target for attackers
Ivanti Endpoint Manager Mobile (formerly MobileIron Core) is an enterprise-platform MDM/UEM for the management of the mobile fleet. According to Hadrian, EPMM controls the distribution of applications, gives access to internal resources and applies security policies on iOS and Android devices. Place in kill chain - initial access (T1190, Exploit Public-Facting Application): Compromise of the EPMM server opens the way from the Internet to internal infrastructure.
In practice, the compromised EPMM server gives the attacker:
• Credential access (T1552.001, Credentials In Files) - LDAP/AD integration configurations, certificates, administrator accounting
• Device control - modification of MDM-politics, push-configurations for the entire mobile park
• PII - according to the description of the CISA, the attacker receives names, phone numbers, device identifiers, GPS coordinates (if geolocation is enabled)
• Lateral movement - EPMM integrated with Ivanti Sentry and corporate authentication systems, it is a ready-made bridge to the internal network
Unit 42 observed attacks on state and municipal authorities, health, manufacturing, legal services and high-tech companies in the US, Germany, Australia and Canada.
In fact, an MDM server designed as an internal administration tool sticks out on an external perimeter with direct access from the Internet. And it contains bash scripts that process user input. What can go wrong?
Context of Applicability: external pentest, internet-exposed on-premises EPMM. Cloudy Ivanti Neurons for MDM, Ivanti EPM and Ivanti Sentry are not susceptible to CVE-2026-1281/1340, according to Hadrian.
CVE-2023-35078: authentication bypass that launched the series
According to the description of CISA, the vulnerability allowed unagent to access certain EPMM APIs. The attacker gained access to the PII and could make configuration changes on the server. With this CVE, a series of attacks on the Ivanti MDM infrastructure began - including confirmed ransomware campaigns. CISA classifies operation as active, automatable - yes, technical impact - total.
EPSS 1.0 is not an abstract metric. This means that every scanner with a CVE base is already checking your perimeter for that hole.
CVE-2025-4427 + CVE-2025-4428: chained auth bypass and code injection
Two CVE that work in a pair - classic chained exploit:
Both are added to CISA KEV 2025-05-19 with SSVC Act status: exploitation - active, automatable - yes, impact technical - total.
Attack Chain: CVE-2025-4427 bypasses authentication in the EPMM API component, opening access to secure resources. CVE-2025-4428 allows an authenticated attacker through specially formed API requests to perform arbitrary code. In the bundle - a complete capture of the system without accounting data.
Ivanti closed both vulnerabilities in EPMM versions 11.12.0.5, 12.3.0.2, 12.4.0.2 and 12.5.0.1. On Exploit-DB published a public exploit (EDB-52421, author - İbrahimsql, date of publication 2025-08-26). In the repository nuclei-templates ProjectDiscovery is available template CVE-2025-4427.yaml for automatic detection of vulnerable tribunals.
CVE-2026-1281 + CVE-2026-1340: pre-auth RCE via bash arithmetic expansion
Both are a code injection that allows an unauthentic attacker to execute arbitrary code. According to Unit 42 and Hadrian, both are rated as Critical, but CVSS-scratch is not published in the NVD. CISA classifies both as SSVC Act (exloitation - active, automatable - yes, technical impact - total).
Deadline for elimination CVE-2026-1281 - 3 days from the date of publication. Three days. One of the shortest dates in the history of CISA KEV – and this indicates the seriousness of the situation is more eloquent than any CVSS speed.
Affected versions (according to Hadrian): 12.5.0.x, 12.5.1.0, 12.6.0.x, 12.6.0.0.
Unit 42 fixes: until the publication on January 29, 2026, there was already active operation. Attackers speed up operations by moving from reconnaissance to the deployment of dormant backdoors to save access after patching. That is, even if you put a patch on the same day - check if you left a "gift".
Bash arithmetic expansion: RCE mechanics in CVE-2026-1281 and CVE-2026-1340
Preconditions of Applicability: external pentest, internet-exposed on-premice EPMM versions 12.5.0.x - 12.7.0.x. Cloudy Neurons for MDM is not susceptible.
This section is based on Unit 42 (Tier-1) and Hadrian Security studies.
Vulnerable architecture and chain variable indirection
The Apache configuration in EPMM defines two instances RewriteMap, pointing to bash-scripts: /mi/bin/map-appstore-url (CVE-2026-1281) and /mi/bin/map-aft-store-url (CVE-2026-1340) When an HTTP request is received for endpoints /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/, the parameters are transmitted directly to the corresponding bash script.
Think about it: user input from the URL gets straight to bash. In 2026.
The script disclaims the key-value pair from the URL by assigning them to variables: gStartTime, gEndTime, gHashPrefixString. Variable gPath previously defined as an empty line. Then gStartTime used in arithmetic comparison - and here the bash arithmetic expansion trap works.
Operation via variable indirection (according to Hadrian):
1. The attacker establishes st=theValue (two gaps for 10-symbolic validation of length). The script appropriates this gStartTime.
2. Parameter h=gPath[command ]assigned by a variable theValuein the last iteration of the cycle. According to the reverse analysis of Hadrian, the bash script disassembles the key-value pair through the cycle, where the last parameter (h) overwrites the variable whose name coincides with the current value gHashPrefixString- and it is equal theValue(established through st) The exact assignment mechanism is reconstructed by Hadrian and may differ in detail from the source code.
3. In arithmetic comparison (( gStartTime > gEndTime ))bash recursively calculates the names of variables as arithmetic expressions (documented behavior bash arithmetic evaluation): gStartTime-> string theValue-> Variable theValue-> array gPath[...]-> command substitution inside the index.
Recursive calculation in the context of (( )) is the essence of the bash arithmetic expansion (CWE-94) It's a beautiful chain if you look from the side. Not very beautiful if it is your server.
Minimum PoC for CVE-2026-1281 (according to Hadrian):
Code:
GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60id%20>%20/mi/poc%60%5D HTTP/1.1
Host: target.example.com
URL-decoded value h: gPath[id > /mi/poc] - Recording the conclusion id to the file /mi/poc on the target server. CVE-2026-1340 is operated similarly, but through the endpoint /mifs/c/aftstore/fob/.
According to Hadrian, the bash arithmetic expansion class of vulnerabilities has been known at the lowest since 2014, but is systematically missed on security review. Dangerous contexts: $((expression)), ((expression)), ${var[index]}, [[ $var -eq $other ]]. Twelve years - and the same error in the production code of the enterprise-product.
Restrictions of technology
When the equipment does not work:
• On the cloudy Ivanti Neurons for MDM - another architecture
• After installing the patch 12.8.0.0, where bash scripts are architecturally replaced by Java classes: RewriteMap mapAppStoreURL "prg:/bin/java -cp /mi/bin AppStoreUrlMapper"
• WAF with URL-encoded backtricks (%60) and square brackets (%5B, %5D) can block the basic PoC (but bypass through alternative encodings is likely - do not rely only on WAF)
• If /mifs/c/(app|aft)store/fob/closed at the level of the network filter - the script will not be reached the request
• For CVE-2025-4422/4428, the other (Spring Framework + Hibernate Validator) - these restrictions do not apply
, which deploys web shell, cryptominer or persistent backdoor. In some cases, there was a download of the Nezha monitoring agent - open-source server monitoring utilities, which was adapted as a botnet agent, with a fallback on Gitee for victims from China.
Persistence through web shell (T1505.003) Unit 42 recorded the installation of JSP web shell with names 401.jsp, 403.jsp, 1.jsp the Directory /mi/tomcat/webapps/mifs/. Hadrian notes among the Behinder - Java web shell with an encrypted communication channel among the Behinder - used. If Tomcat works from root (and it often works from root) - the attacker gets full control. Unit 42 emphasizes: dormant backdoors retain access even after installing the patch.
Credential access and lateral movement. The compromised EPMM opens access to administrator account data, LDAP/AD configurations, and connections to Ivani Sentry. When display response, audit all the Sentry connections and authentication configurations - this is the lateral movement vector.
Defense evasion (T1562.001) Hadrian warns: attackers clean the local logs Apache and system magazines. Without centralized SIEM forensic data is lost. I saw the cases when literally nothing was left in my hands after the incident, because everything was stored locally on a compromised host.
Detection and threat for hunting vulnerabilities Ivanti EPMM
Regex for Apache HTTPD access logs, developed by Ivanti in conjunction with NCSC-NL:
Code:
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
What to look at in the logs:
• Requests to /mifs/c/appstore/fob/or /mifs/c/aftstore/fob/with HTTP 404 response
• Bash-metasymbols in URL parameters: %60(backttick), %24%28($() %7C(pipe)
• One IP series of requests to these low-interval endpoints - a sign of automated scanning
Web shell and file system:
• Comparison of JSP files in /mi/tomcat/webapps/mifs/with the reference clean installation - any discrepancies are suspicious
• POST-requests to error pages (401.jsp, 403.jsp) with non-standard parameters - these are not users are wrong, it's web shell
• Unknown WAR/JAR files in Tomcat directories
Network indicators:
• Outgoing TCP connections from EPMM servers to IP outside of white list (especially non-standard ports)
• Long-lived sessions to external addresses
• Reverse shell patterns in traffic: bash -i, nc -e, python -c 'import socket'
Ivanti provides customers with Exploitation Detection Script (designed in conjunction with NCSC-NL). If EPMM logs are filed in Cortex XDR/XSIAM - Unit 42 publishes XQL queries for hunting threat.
Chardening cheat sheet Ivanti EPMM
1. Update EPMM immediately. Install the RPM-patch (12.x.0.x.x.x.1.x depending on the version). Patch doesn't require downtime. The target version is 12.8.0.0, where bash scripts are replaced by Java-classes
2. If the instance was exposed before the patch, it is considered compromised. Run a command command, reassemble from a clean image. No options
3. Close the endpoints. Make sure that /mifs/c/(app|aft)store/fob/Not available from the internet. Close through firewall or reverse proxy
4. Network segmentation. EPMM server - in an isolated VLAN. Limit Outgoing Whitelist Compounds
5. Centralized logging. Apache access/error logs and system logs EPMM - in SIEM. Configure alerates to regex from the section
6. Audit of the file system. Compare the hashes of JSP files in /mi/tomcat/webapps/mifs/with standard
7. The Ivanti Sentry. Check all EPMM-Sentry connections for unauthorized configurations
8. Audit of accounts. Check the presence of unknown administrative accounts and changes in LDAP/AD authentication configuration
9. Monitoring of outgoing compounds. Alerts on TCP-connections from EPMM to IP outside of white list
10. Re-use RPM after updates. Temporary RPM patches are reset when updating EPMM - a documented restriction. Forget - and again exposed
Below is the analysis of the mechanic that APT-groups and automated bots use to turn a vulnerable MDM server into an initial access point. If you work with the infrastructure where EPMM stands, read carefully, there is something to do right today.
Why Ivanti EPMM is a priority target for attackers
Ivanti Endpoint Manager Mobile (formerly MobileIron Core) is an enterprise-platform MDM/UEM for the management of the mobile fleet. According to Hadrian, EPMM controls the distribution of applications, gives access to internal resources and applies security policies on iOS and Android devices. Place in kill chain - initial access (T1190, Exploit Public-Facting Application): Compromise of the EPMM server opens the way from the Internet to internal infrastructure.
In practice, the compromised EPMM server gives the attacker:
• Credential access (T1552.001, Credentials In Files) - LDAP/AD integration configurations, certificates, administrator accounting
• Device control - modification of MDM-politics, push-configurations for the entire mobile park
• PII - according to the description of the CISA, the attacker receives names, phone numbers, device identifiers, GPS coordinates (if geolocation is enabled)
• Lateral movement - EPMM integrated with Ivanti Sentry and corporate authentication systems, it is a ready-made bridge to the internal network
Unit 42 observed attacks on state and municipal authorities, health, manufacturing, legal services and high-tech companies in the US, Germany, Australia and Canada.
In fact, an MDM server designed as an internal administration tool sticks out on an external perimeter with direct access from the Internet. And it contains bash scripts that process user input. What can go wrong?
Context of Applicability: external pentest, internet-exposed on-premises EPMM. Cloudy Ivanti Neurons for MDM, Ivanti EPM and Ivanti Sentry are not susceptible to CVE-2026-1281/1340, according to Hadrian.
CVE-2023-35078: authentication bypass that launched the series
According to the description of CISA, the vulnerability allowed unagent to access certain EPMM APIs. The attacker gained access to the PII and could make configuration changes on the server. With this CVE, a series of attacks on the Ivanti MDM infrastructure began - including confirmed ransomware campaigns. CISA classifies operation as active, automatable - yes, technical impact - total.
EPSS 1.0 is not an abstract metric. This means that every scanner with a CVE base is already checking your perimeter for that hole.
CVE-2025-4427 + CVE-2025-4428: chained auth bypass and code injection
Two CVE that work in a pair - classic chained exploit:
Both are added to CISA KEV 2025-05-19 with SSVC Act status: exploitation - active, automatable - yes, impact technical - total.
Attack Chain: CVE-2025-4427 bypasses authentication in the EPMM API component, opening access to secure resources. CVE-2025-4428 allows an authenticated attacker through specially formed API requests to perform arbitrary code. In the bundle - a complete capture of the system without accounting data.
Ivanti closed both vulnerabilities in EPMM versions 11.12.0.5, 12.3.0.2, 12.4.0.2 and 12.5.0.1. On Exploit-DB published a public exploit (EDB-52421, author - İbrahimsql, date of publication 2025-08-26). In the repository nuclei-templates ProjectDiscovery is available template CVE-2025-4427.yaml for automatic detection of vulnerable tribunals.
CVE-2026-1281 + CVE-2026-1340: pre-auth RCE via bash arithmetic expansion
Both are a code injection that allows an unauthentic attacker to execute arbitrary code. According to Unit 42 and Hadrian, both are rated as Critical, but CVSS-scratch is not published in the NVD. CISA classifies both as SSVC Act (exloitation - active, automatable - yes, technical impact - total).
Deadline for elimination CVE-2026-1281 - 3 days from the date of publication. Three days. One of the shortest dates in the history of CISA KEV – and this indicates the seriousness of the situation is more eloquent than any CVSS speed.
Affected versions (according to Hadrian): 12.5.0.x, 12.5.1.0, 12.6.0.x, 12.6.0.0.
Unit 42 fixes: until the publication on January 29, 2026, there was already active operation. Attackers speed up operations by moving from reconnaissance to the deployment of dormant backdoors to save access after patching. That is, even if you put a patch on the same day - check if you left a "gift".
Bash arithmetic expansion: RCE mechanics in CVE-2026-1281 and CVE-2026-1340
Preconditions of Applicability: external pentest, internet-exposed on-premice EPMM versions 12.5.0.x - 12.7.0.x. Cloudy Neurons for MDM is not susceptible.
This section is based on Unit 42 (Tier-1) and Hadrian Security studies.
Vulnerable architecture and chain variable indirection
The Apache configuration in EPMM defines two instances RewriteMap, pointing to bash-scripts: /mi/bin/map-appstore-url (CVE-2026-1281) and /mi/bin/map-aft-store-url (CVE-2026-1340) When an HTTP request is received for endpoints /mifs/c/appstore/fob/ or /mifs/c/aftstore/fob/, the parameters are transmitted directly to the corresponding bash script.
Think about it: user input from the URL gets straight to bash. In 2026.
The script disclaims the key-value pair from the URL by assigning them to variables: gStartTime, gEndTime, gHashPrefixString. Variable gPath previously defined as an empty line. Then gStartTime used in arithmetic comparison - and here the bash arithmetic expansion trap works.
Operation via variable indirection (according to Hadrian):
1. The attacker establishes st=theValue (two gaps for 10-symbolic validation of length). The script appropriates this gStartTime.
2. Parameter h=gPath[command ]assigned by a variable theValuein the last iteration of the cycle. According to the reverse analysis of Hadrian, the bash script disassembles the key-value pair through the cycle, where the last parameter (h) overwrites the variable whose name coincides with the current value gHashPrefixString- and it is equal theValue(established through st) The exact assignment mechanism is reconstructed by Hadrian and may differ in detail from the source code.
3. In arithmetic comparison (( gStartTime > gEndTime ))bash recursively calculates the names of variables as arithmetic expressions (documented behavior bash arithmetic evaluation): gStartTime-> string theValue-> Variable theValue-> array gPath[...]-> command substitution inside the index.
Recursive calculation in the context of (( )) is the essence of the bash arithmetic expansion (CWE-94) It's a beautiful chain if you look from the side. Not very beautiful if it is your server.
Minimum PoC for CVE-2026-1281 (according to Hadrian):
Code:
GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue%20%20,et=1337133713,h=gPath%5B%60id%20>%20/mi/poc%60%5D HTTP/1.1
Host: target.example.com
URL-decoded value h: gPath[id > /mi/poc] - Recording the conclusion id to the file /mi/poc on the target server. CVE-2026-1340 is operated similarly, but through the endpoint /mifs/c/aftstore/fob/.
According to Hadrian, the bash arithmetic expansion class of vulnerabilities has been known at the lowest since 2014, but is systematically missed on security review. Dangerous contexts: $((expression)), ((expression)), ${var[index]}, [[ $var -eq $other ]]. Twelve years - and the same error in the production code of the enterprise-product.
Restrictions of technology
When the equipment does not work:
• On the cloudy Ivanti Neurons for MDM - another architecture
• After installing the patch 12.8.0.0, where bash scripts are architecturally replaced by Java classes: RewriteMap mapAppStoreURL "prg:/bin/java -cp /mi/bin AppStoreUrlMapper"
• WAF with URL-encoded backtricks (%60) and square brackets (%5B, %5D) can block the basic PoC (but bypass through alternative encodings is likely - do not rely only on WAF)
• If /mifs/c/(app|aft)store/fob/closed at the level of the network filter - the script will not be reached the request
• For CVE-2025-4422/4428, the other (Spring Framework + Hibernate Validator) - these restrictions do not apply
, which deploys web shell, cryptominer or persistent backdoor. In some cases, there was a download of the Nezha monitoring agent - open-source server monitoring utilities, which was adapted as a botnet agent, with a fallback on Gitee for victims from China.
Persistence through web shell (T1505.003) Unit 42 recorded the installation of JSP web shell with names 401.jsp, 403.jsp, 1.jsp the Directory /mi/tomcat/webapps/mifs/. Hadrian notes among the Behinder - Java web shell with an encrypted communication channel among the Behinder - used. If Tomcat works from root (and it often works from root) - the attacker gets full control. Unit 42 emphasizes: dormant backdoors retain access even after installing the patch.
Credential access and lateral movement. The compromised EPMM opens access to administrator account data, LDAP/AD configurations, and connections to Ivani Sentry. When display response, audit all the Sentry connections and authentication configurations - this is the lateral movement vector.
Defense evasion (T1562.001) Hadrian warns: attackers clean the local logs Apache and system magazines. Without centralized SIEM forensic data is lost. I saw the cases when literally nothing was left in my hands after the incident, because everything was stored locally on a compromised host.
Detection and threat for hunting vulnerabilities Ivanti EPMM
Regex for Apache HTTPD access logs, developed by Ivanti in conjunction with NCSC-NL:
Code:
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
What to look at in the logs:
• Requests to /mifs/c/appstore/fob/or /mifs/c/aftstore/fob/with HTTP 404 response
• Bash-metasymbols in URL parameters: %60(backttick), %24%28($() %7C(pipe)
• One IP series of requests to these low-interval endpoints - a sign of automated scanning
Web shell and file system:
• Comparison of JSP files in /mi/tomcat/webapps/mifs/with the reference clean installation - any discrepancies are suspicious
• POST-requests to error pages (401.jsp, 403.jsp) with non-standard parameters - these are not users are wrong, it's web shell
• Unknown WAR/JAR files in Tomcat directories
Network indicators:
• Outgoing TCP connections from EPMM servers to IP outside of white list (especially non-standard ports)
• Long-lived sessions to external addresses
• Reverse shell patterns in traffic: bash -i, nc -e, python -c 'import socket'
Ivanti provides customers with Exploitation Detection Script (designed in conjunction with NCSC-NL). If EPMM logs are filed in Cortex XDR/XSIAM - Unit 42 publishes XQL queries for hunting threat.
Chardening cheat sheet Ivanti EPMM
1. Update EPMM immediately. Install the RPM-patch (12.x.0.x.x.x.1.x depending on the version). Patch doesn't require downtime. The target version is 12.8.0.0, where bash scripts are replaced by Java-classes
2. If the instance was exposed before the patch, it is considered compromised. Run a command command, reassemble from a clean image. No options
3. Close the endpoints. Make sure that /mifs/c/(app|aft)store/fob/Not available from the internet. Close through firewall or reverse proxy
4. Network segmentation. EPMM server - in an isolated VLAN. Limit Outgoing Whitelist Compounds
5. Centralized logging. Apache access/error logs and system logs EPMM - in SIEM. Configure alerates to regex from the section
6. Audit of the file system. Compare the hashes of JSP files in /mi/tomcat/webapps/mifs/with standard
7. The Ivanti Sentry. Check all EPMM-Sentry connections for unauthorized configurations
8. Audit of accounts. Check the presence of unknown administrative accounts and changes in LDAP/AD authentication configuration
9. Monitoring of outgoing compounds. Alerts on TCP-connections from EPMM to IP outside of white list
10. Re-use RPM after updates. Temporary RPM patches are reset when updating EPMM - a documented restriction. Forget - and again exposed
