THREAT OPS › Threat News › Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)
Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)
<img alt="Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)" src="https://storage.ghost.io/c/a0/dc/a0dcbbe4-0ae7-4d7e-90f7-ebbc3a0f5a84/content/images/2026/01/Group-8730.png" /><p>When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - actively exploited pre-auth Remote Command Execution vulnerabilities in Ivanti’s
MITRE ATT&CK techniques
- VulnerabilitiesT1588.006
Indicators of compromise
- 123aabf796106cfb2ab40cbbd43ba5b44fd937f1a5856e0a95640ba6f9d71843sha256
- CVE-2026-1281cve
- CVE-2026-1340cve
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US&ref=labs.watchtowr.comurl
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_USurl
- https://www.nccgroup.com/research-blog/shell-arithmetic-expansion-and-evaluation-abuse/?ref=labs.watchtowr.comurl
- https://unix.stackexchange.com/questions/172103/security-implications-of-using-unsanitized-data-in-shell-arithmetic-evaluation?ref=labs.watchtowr.comurl
- 12.8.0.0ipv4
- 12.7.0.0ipv4
- storage.ghost.iodomain