ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)
Sourceet/open
CreatedJanuary 30, 2026
UpdatedFebruary 5, 2026
Classificationweb-application-attack
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)"; flow:established,to_server; http.uri; content:"/mifs/c/"; startswith; content:"/fob/3/"; distance:0; content:"sha256|3a|"; distance:0; content:"st|3d|theValue"; fast_pattern; distance:0; content:"h|3d|"; pcre:"/^(?:gPath|ret)(?:\x5b|\x25(?:25)?5[bB])(?:(?!\x25(?:25)?5[dD]|\x5d).)+(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; reference:url,labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/; reference:cve,2026-1281; reference:cve,2026-1340; classtype:web-application-attack; sid:2067230; rev:2; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_30, cve CVE_2026_1281_CVE_2026_1340, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
References
Metadata
affected productIvanti
attack targetServer
tls stateTLSDecrypt
created at2026_01_30
cveCVE_2026_1281_CVE_2026_1340
deploymentSSLDecrypt
confidenceHigh
signature severityMajor
tagExploit
updated at2026_02_05
mitre tactic idTA0001
mitre tactic nameInitial_Access
mitre technique idT1190
mitre technique nameExploit_Public_Facing_Application
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!