Versions (2)
Version DetailsCurrent
Rev: 2 • Jan 30, 2026, 12:00 PMET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)"; flow:established,to_server; http.uri; content:"/mifs/c/"; startswith; content:"/fob/3/"; distance:0; content:"sha256|3a|"; distance:0; content:"st|3d|theValue"; fast_pattern; distance:0; content:"h|3d|"; pcre:"/^(?:gPath|ret)(?:\x5b|\x25(?:25)?5[bB])(?:(?!\x25(?:25)?5[dD]|\x5d).)+(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; reference:url,labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/; reference:cve,2026-1281; reference:cve,2026-1340; classtype:web-application-attack; sid:2067230; rev:2; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_30, cve CVE_2026_1281_CVE_2026_1340, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Jan 30, 2026, 12:00 PM
Feb 5, 2026, 12:00 PM
Feb 2, 2026, 9:34 PM
Feb 5, 2026, 11:34 PM
rules/emerging-web_specific_apps.rules