A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote…

CVE-2026-1340 is a pre-auth code injection in Ivanti Endpoint Manager Mobile (EPMM), the on-prem MDM/UEM server formerly known as MobileIron Core. Public reporting and vendor-linked analysis tie exploitation to the appstore and aftstore HTTP paths under /mifs/c/.../fob/, where crafted GET requests can be turned into OS command execution. Affected builds called out across vendor-linked and primary research are 12.5.0.0 and prior, 12.5.1.0 and prior, 12.6.0.0 and prior, 12.6.1.0 and prior, and 12.7.0.0 and prior; Ivanti initially shipped version-specific RPM hotfixes, with a permanent product fix later associated with 12.8.0.0.

The vendor's 9.8/CRITICAL rating matches reality. The only real friction is population size: this is limited to on-prem EPMM, not Ivanti's cloud MDM, so not every enterprise owns the problem. But once an org does own it, the path is brutally short: unauthenticated, network-reachable, no user interaction, edge-facing management plane, active exploitation, KEV listing, public exploit research, and downstream control over managed devices and enterprise access paths.

Why this verdict

• Held at vendor baseline because the vendor's 9.8 already reflects the real attack chain: unauthenticated, network-reachable RCE with no click path and no role prerequisite.
• No prerequisite drag because the attacker does *not* need prior foothold, internal network placement, stolen credentials, or admin/API access; those missing prereqs normally drive scores down, and they are absent here.
• Population trims only the ceiling: on-prem EPMM is a narrower installed base than mainstream VPN, email, or browser targets, which is why this stays at 9.8 instead of being described as a universal enterprise emergency. But KEV, public exploit research, and observed web-shell/reverse-shell deployment erase any case for downgrading below CRITICAL.

Why not higher?

There is no practical bucket above CRITICAL, and even within criticality the exposure population is not universal. This is limited to organizations running on-prem EPMM, and Ivanti's cloud MDM offering is not in scope, so the reachable victim set is materially smaller than a browser or Windows bug.

Why not lower?

Downgrading would ignore the actual friction audit. There is no authentication barrier, no internal-network prerequisite, no user interaction, and no special role requirement, and exploitation evidence is not hypothetical—Ivanti disclosed victim impact, CISA KEV later confirmed exploitation, and public researchers observed rapid post-disclosure abuse.

1. Pull EPMM behind restricted access now — If the appliance is still Internet-reachable, treat that as the primary amplifier and remove public reachability with VPN-only access, source-IP allowlisting, or upstream ACLs. Because this CVE is KEV-listed and exploitation is real, deploy this immediately, within hours, not by the normal 3-day CRITICAL mitigation clock.
2. Block exploit paths at the edge — Create emergency WAF/NGFW rules for /mifs/c/appstore/fob/ and /mifs/c/aftstore/fob/, especially requests carrying shell metacharacters or anomalous fob parameter structure. This is a containment move, not a substitute for patching, and it should also be in place immediately, within hours.
3. Hunt HTTP and appliance logs — Search EPMM HTTP logs for the vendor and Unit 42 path patterns, then pivot into process, filesystem, and outbound connection telemetry from the appliance. Because active exploitation often moved straight to persistence, complete this triage immediately, within hours on every exposed or recently exposed node.
4. Inspect for persistence artifacts — Check for JSP web shells, unexpected WAR/JAR files, temp staging files, reverse-shell children, and outbound callbacks from the EPMM host. This is not optional hygiene—if the box was exposed pre-patch, perform this review immediately, within hours.
5. Rotate trust after confirmed compromise — If you find evidence of compromise, rotate local EPMM accounts, LDAP/KDC or other service credentials tied to the appliance, and replace the public certificate used by EPMM. Ivanti's own recovery guidance treats compromise as a rebuild-and-retrust event, so complete this on affected systems immediately, within hours.

Run this on the EPMM appliance itself over SSH, ideally as root or with sudo, because it needs local RPM inventory. Save as check_cve_2026_1340.sh and run sudo bash ./check_cve_2026_1340.sh; it will print VULNERABLE, PATCHED, or UNKNOWN and exit non-zero for uncertain states.

#!/usr/bin/env bash
# check_cve_2026_1340.sh
# Conservative local check for Ivanti EPMM CVE-2026-1340.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / cannot determine

set -u

cve="CVE-2026-1340"

if ! command -v rpm >/dev/null 2>&1; then
  echo "UNKNOWN: rpm not found; not an expected EPMM appliance or insufficient environment for ${cve} check"
  exit 2
fi

RPM_LIST="$(rpm -qa 2>/dev/null || true)"
if [ -z "$RPM_LIST" ]; then
  echo "UNKNOWN: unable to read RPM database for ${cve}"
  exit 2
fi

# Helper: compare dotted versions using sort -V.
ver_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

# 1) Definitive hotfix detection from Ivanti/CISA-linked package names.
if echo "$RPM_LIST" | grep -Eiq 'ivanti-security-update-1761642-(1\.[01]\.0[SL]|1\.[01]\.0[SL]-|1\.[01]\.0[S|L])|security-update-1761642'; then
  echo "PATCHED: detected Ivanti security update RPM for ${cve} (1761642 series)"
  exit 0
fi

# 2) Try to infer installed EPMM base version from package inventory.
CANDIDATE_VERSIONS="$(echo "$RPM_LIST" | grep -Eio '(epmm|mobileiron|mifs|core)[^[:space:]]*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sort -Vu || true)"
BASE_VER="$(echo "$CANDIDATE_VERSIONS" | tail -n1)"

# 3) If base version is clearly a later fixed train, accept as patched.
if [ -n "$BASE_VER" ] && ver_ge "$BASE_VER" "12.8.0.0"; then
  echo "PATCHED: inferred EPMM base version ${BASE_VER} >= 12.8.0.0"
  exit 0
fi

# 4) If base version is within affected trains and no hotfix was found, mark vulnerable.
# Affected trains documented publicly: <=12.5.0.0, <=12.5.1.0, <=12.6.0.0, <=12.6.1.0, <=12.7.0.0
if [ -n "$BASE_VER" ]; then
  case "$BASE_VER" in
    12.5.*|12.6.*|12.7.0.0)
      echo "VULNERABLE: inferred affected EPMM version ${BASE_VER} and no security update RPM detected for ${cve}"
      exit 1
      ;;
  esac
fi

# 5) Fall back to filesystem hints if available.
for path in \
  /usr/local/tomcat/webapps/mifs/META-INF/MANIFEST.MF \
  /mi/tomcat/webapps/mifs/META-INF/MANIFEST.MF \
  /opt/mobileiron/*/META-INF/MANIFEST.MF
 do
  for file in $path; do
    [ -f "$file" ] || continue
    FOUND_VER="$(grep -Eio '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' "$file" 2>/dev/null | head -n1 || true)"
    if [ -n "$FOUND_VER" ]; then
      if ver_ge "$FOUND_VER" "12.8.0.0"; then
        echo "PATCHED: manifest version ${FOUND_VER} >= 12.8.0.0"
        exit 0
      fi
      case "$FOUND_VER" in
        12.5.*|12.6.*|12.7.0.0)
          echo "VULNERABLE: manifest shows affected version ${FOUND_VER} and no hotfix RPM detected for ${cve}"
          exit 1
          ;;
      esac
    fi
  done
done

echo "UNKNOWN: could not prove hotfix presence or confidently infer a fixed base version for ${cve}"
exit 2

Sources

1. Ivanti January 2026 EPMM Security Update
2. CVE Program record for CVE-2026-1340
3. Rapid7 emergent threat response for CVE-2026-1281/CVE-2026-1340
4. watchTowr exploitation writeup
5. watchTowr Labs technical exploit analysis
6. Palo Alto Unit 42 threat brief
7. Horizon3.ai affected and fixed-version summary
8. CISA KEV public data mirror