ThreatLevelBeta
Emergency Fix

CVE-2026-1340

Pre-auth RCE in Ivanti EPMM Android File Transfer endpoint
Loading...

Summary

Ivanti Endpoint Manager Mobile (EPMM) has a code injection flaw in the Android File Transfer handling path. An unauthenticated attacker can send crafted HTTP GET requests to the /mifs/c/aftstore/fob/ endpoint, which feeds legacy Apache RewriteMap Bash helpers that can evaluate attacker-controlled values and execute commands. Successful exploitation can lead to full appliance compromise, web shells, and access to managed-device and admin data.

Why Emergency Fix?

6/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary OS commands on the EPMM appliance, deploy web shells, and access managed-device and admin data.

Full System Compromise
Exploitation Requirements
  • Internet-exposed EPMM appliance on an affected version
  • HTTP/HTTPS access to the aftstore endpoint
  • no authentication or user interaction required.
Exploitation Process

An attacker sends an unauthenticated HTTP GET request to the vulnerable /mifs/c/aftstore/fob/ endpoint on an exposed EPMM appliance, using crafted path segments and parameter values that reach the Bash rewrite helper. Apache RewriteMap passes attacker-controlled input into the legacy map-aft-store-url script, where shell evaluation can occur during parsing and arithmetic expansion. If the payload succeeds, the attacker verifies execution by observing timing or command output, then uses the shell access to drop a web shell or backdoor.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Ivanti
ProductAffected Versions
Ivanti Endpoint Manager Mobile (EPMM)12.5.1.0 and prior; 12.6.1.0 and prior; 12.7.0.0 and prior
Description

On-premises mobile device management platform used by enterprises to enroll, manage, secure, and distribute apps and policies to mobile devices.

Deployment:Commonly internet-facing
|
Protocol:HTTPS
|
Ports:443
Affected ComponentAndroid File Transfer Configuration endpoint and legacy Apache RewriteMap Bash helper script (map-aft-store-url) behind the /mifs/c/aftstore/fob/ path.

Android File Transfer Configuration endpoint and legacy Apache RewriteMap Bash helper script (map-aft-store-url) behind the /mifs/c/aftstore/fob/ path.

Affected Endpoints(1)/mifs/c/aftstore/fob/
1./mifs/c/aftstore/fob/
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Remediation
Workaround

Not available

Patch
Apply the version-specific Ivanti RPM security update: use 12.x.0.x for 12.5.0.x/12.6.0.x/12.7.0.x branches and 12.x.1.x for 12.5.1.0/12.6.1.0 branches; reapply after any version upgrade because the RPM does not persist.

Apply the version-specific Ivanti RPM security update: use 12.x.0.x for 12.5.0.x/12.6.0.x/12.7.0.x branches and 12.x.1.x for 12.5.1.0/12.6.1.0 branches; reapply after any version upgrade because the RPM does not persist.

hub.ivanti.com
Update

Not available

Threat Intelligence
EPSS Score73.8%

Probability of exploitation in the next 30 days

EPSS Percentile99%

Worse than 99% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
ivanti.com
Threat Actors

No known threat actors

Detection Rules2
Other
Cortex XDR XQL: match Ivanti EPMM logs for HTTP(S) requests to /mifs/c/(app|aft)store/fob with '=gPath' in the URI and extract source IP, method, response code, and EPMM version.
Other
PAN-OS / NGFW URL hunt: flag requests where uri matches /mifs/c/(app|aft)store/fob and contains '=gPath'; investigate source_ip, dest_ip, headers, and session context.

NVD Data

Published: Loading...Modified: Loading...

Description Summary

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

CVSS Base Score

9.8
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-94 Code Injection
|
NVD:CVE-2026-1340
|
Version From:
|
Version Upto:12.7.0.0

Affected Software (CPE) (1)

  • cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*

Sources

6
SourceArticle
www.ivanti.comJanuary 2026 EPMM Security Update
hub.ivanti.comSecurity Advisory: Ivanti Endpoint Manager Mobile (EPMM)
labs.watchtowr.comSomeone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)
unit42.paloaltonetworks.comCritical Vulnerabilities in Ivanti EPMM Exploited
www.cert.europa.euSecurity Advisory 2026-001: Critical vulnerabilities in Ivanti EPMM
www.tenable.comCVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited

Priority History

Emergency FixLoading...

Initial analysis