What is CVE-2026-1340?

CVE-2026-1340 is a code injection vulnerability (CWE-94) in the Android File Transfer Configuration feature of Ivanti EPMM. The flaw lives in a Bash script named map-aft-store-url that parses URL parameters sent to the public endpoint /mifs/c/aftstore/fob/. Because the script drops attacker-controlled strings directly into Bash arithmetic expansion — $((...)) — a crafted GET request to an unauthenticated endpoint results in arbitrary OS command execution with the privileges of the EPMM web server.

Is CVE-2026-1340 being actively exploited?

Palo Alto Networks' Unit 42 reported widespread, mostly automated exploitation of the chained CVE-2026-1281 + CVE-2026-1340 pair across the public internet. watchTowr, Rapid7, and Arctic Wolf have all published independent observations of in-the-wild exploitation. Confirmed post-exploitation behaviors include:

Am I exposed to CVE-2026-1340?

The fixed release is 12.8.0.0, published on March 18, 2026. Ivanti also shipped RPM-based interim patches for the older supported branches — these replace the vulnerable Bash scripts with compiled Java classes (AFTUrlMapper.java and AppStoreUrlMapper.java) via an Apache HTTPd configuration swap. The interim RPMs do not persist across version upgrades and must be reapplied if the appliance is upgraded.

How do I fix CVE-2026-1340?

This is the permanent fix. The upgrade replaces the vulnerable Bash scripts with compiled Java mappers and removes the code injection vector entirely.

CVE-2026-1340: Ivanti EPMM Pre-Auth Code Injection — Mass-Exploited CVSS 9.8 RCE

By the Pinaka team — April 16, 2026

CVE-2026-1340 is a critical (CVSS 9.8) code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) versions 12.5.x through 12.7.x that gives unauthenticated attackers remote code execution via Bash arithmetic expansion on the /mifs/c/aftstore/fob/ endpoint. Chained with CVE-2026-1281 and added to CISA KEV on April 8, 2026. Mass-exploited in the wild for web shells, reverse shells, and cryptominers. Fixed in EPMM 12.8.0.0 with RPM interim patches available for older branches.

Topics: CVE Analysis, Ivanti, Code Injection, CISA KEV, Mobile Device Management, Pre-Auth RCE

Read full analysis