CVE-2026-1340

What is Ivanti Endpoint Manager Mobile?

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is an enterprise Mobile Device Management (MDM) platform. Organizations use it to enroll, configure, and enforce security policy across smartphones, tablets, and laptops — both corporate-owned and BYOD. EPMM is deployed on-premises and is typically internet-accessible to allow remote device enrollment and policy updates.

Because EPMM sits between an organization's internal network and its entire managed device fleet, it is a high-value target. Compromising the EPMM server gives an attacker the ability to push malicious configuration profiles to every enrolled device, intercept device telemetry, or use the management channel for lateral movement into the enterprise network.

Overview

CVE-2026-1340 is a code injection vulnerability in Ivanti EPMM's Android File Transfer (AFT) URL mapping component. Unsafe bash script execution in the map-aft-store-url script allows an unauthenticated remote attacker to inject arbitrary shell commands via HTTP GET requests to endpoints matching /mifs/c/aftstore/fob/*, achieving pre-authenticated remote code execution.

The vulnerability was exploited as a zero-day before Ivanti's January 29, 2026 disclosure. It was disclosed alongside CVE-2026-1281 (a separate pre-auth code injection in the In-House Application Distribution feature) — both carry a CVSS score of 9.8 and are typically chained together for reliable exploitation.

Affected Versions

Temporary fix: Ivanti released version-specific RPM hotfixes on January 29, 2026:

• ivanti-security-update-1761642-1.1.0S-5.noarch.rpm (Standard builds)
• ivanti-security-update-1761642-1.1.0L-5.noarch.rpm (Large builds)

Permanent fix: EPMM 12.8.0.0 replaces the vulnerable bash scripts with Java class implementations (AFTUrlMapper.class, AppStoreUrlMapper.class) that perform URL rewriting without shell interpretation.

Technical Details

The root cause is unsafe bash script execution in the AFT (Android File Transfer) URL mapping layer. The map-aft-store-url script is invoked via HTTP GET requests to /mifs/c/aftstore/fob/* endpoints. User-supplied URL path components are passed to the script without sanitization and interpreted by the shell, enabling command injection.

Attack characteristics:

• No credentials or session required (pre-authentication)
• Exploitable via a single crafted HTTP GET request
• Triggered through the EPMM management interface, which is commonly internet-accessible
• Commands execute with the privileges of the EPMM service process

CWE-94 (Improper Control of Generation of Code): The application fails to neutralize user-controlled input before incorporating it into shell command execution, allowing injected metacharacters to alter the intended command logic.

watchTowr's analysis titled "Someone Knows Bash Far Too Well" documented the specific bash injection vector and produced a proof-of-concept, which was made publicly available after Ivanti released hotfixes.

Discovery

CVE-2026-1340 was reported to Ivanti and confirmed as actively exploited before the January 29, 2026 public disclosure — no public researcher attribution has been named for the initial report. watchTowr Labs published the first detailed public technical analysis and proof-of-concept on January 30, 2026, in a write-up titled "Someone Knows Bash Far Too Well." Horizon3.ai independently published exploit research and root-cause analysis shortly after. The permanent fix in EPMM 12.8.0.0 replaces the vulnerable bash scripts with Java class implementations (AFTUrlMapper.class), confirming watchTowr's root-cause analysis.

Exploitation Context

Ivanti confirmed active zero-day exploitation prior to the January 29, 2026 advisory. CVE-2026-1340 is closely paired with CVE-2026-1281 in real-world attacks — the two vulnerabilities affect different components of EPMM but are exploited together to maximize reliability.

Ivanti EPMM has a significant history of critical exploitation. Prior major vulnerabilities in the same product include CVE-2023-35078 (auth bypass, exploited by nation-state actors to target Norwegian government ministries) and CVE-2023-35081 (path traversal). The pattern of recurring high-severity, pre-auth vulnerabilities in EPMM reflects sustained attacker interest in MDM infrastructure.

Public proof-of-concept code was released following the hotfixes, and widespread scanning activity was expected immediately after PoC publication.

Remediation

1. Apply the permanent fix — upgrade to EPMM 12.8.0.0 as soon as it is available for your version track
2. Apply the temporary hotfix — if unable to upgrade immediately, apply the RPM hotfix (1.1.0S-5 or 1.1.0L-5) from the Ivanti support portal
3. Restrict internet exposure — the EPMM management interface should not be directly internet-accessible; route access through a VPN or zero-trust gateway
4. Audit for compromise — review EPMM access logs for unexpected requests to /mifs/c/aftstore/fob/ and /mifs/ paths; look for new administrative accounts, unexpected process execution, and outbound connections from the EPMM host
5. Apply CVE-2026-1281 hotfix simultaneously — both CVEs are typically exploited together; patch both at the same time
6. Discontinue use if patching and network isolation cannot be achieved — given the critical severity and active exploitation