Ivanti Endpoint Manager Mobile, Code Injection, CVE-2026-1281 (Critical)

Listen to this Post

CVE-2026-1281 is a critical code injection vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) versions 12.5.0.0 through 12.7.0.0, including 12.5.1.0, 12.6.0.0, 12.6.1.0, and 12.7.0.0. The flaw resides in the In-House Application Distribution and Android File Transfer Configuration features. It allows an unauthenticated attacker to achieve remote code execution on vulnerable on-premises EPMM appliances. The attack vector is network-based with low complexity, and no privileges or user interaction are required. The root cause is insufficient input validation and improper handling of user-supplied data, leading to CWE-94: Improper Control of Generation of Code (‘Code Injection’). Specifically, the vulnerability is reachable via the `/mifs/c/appstore/fob/` route. Attacker-controlled request components are passed through Apache RewriteMap into the legacy `map-appstore-url` Bash script. Due to unsafe handling of attacker-influenced values in a numeric comparison, Bash arithmetic expansion can be triggered. This results in OS command execution, allowing a remote attacker to fully compromise the EPMM appliance. A public proof-of-concept (PoC) exploit is available on GitHub, and active exploitation in the wild has been confirmed. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Exploitation can be achieved via a crafted POST request to the vulnerable endpoint. Successful exploitation grants the attacker full control of the system, with a CVSS base score of 9.8 (Critical). Ivanti released temporary and permanent patches as of January 30, 2026, in the form of RPM packages.
Platform: Ivanti EPMM
Version : 12.5.0.0-12.7.0.0
Vulnerability : Code Injection
Severity : CRITICAL
date : Jan 29,2026

Prediction: Q1 2026

Analytics under What Undercode Say:

PoC: Exploit CVE-2026-1281
curl -X POST "https://target/mifs/c/appstore/fob/" -d "cmd=id"
Detection: Check EPMM logs for exploitation
grep -E "cmd=|/fob/" /var/log/httpd/https-access_log
Mitigation: Apply RPM patch
rpm -ivh ivanti-epmm-patch-12.x.0.x.rpm

Exploit:

CVE-2026-1281 is exploited via crafted POST requests to the `/mifs/c/appstore/fob/` endpoint, injecting malicious code into the Bash arithmetic expansion to achieve RCE.

Protection from this CVE:

Apply the RPM patches (12.x.0.x or 12.x.1.x) immediately. If patching is not possible, implement network segmentation to restrict access to EPMM systems.

Impact:

Full compromise of EPMM appliance, data theft (credentials, device info), lateral movement, and potential ransomware deployment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top