#remote code execution

It's been quite a while since I last posted here, but I just created a new video that I think WordPress users will find pretty informative. So, I wanted to share it here on Tumblr as well.

Smartphones have become an indispensable tool in everyday life. One can shop, browse, watch videos, listen to music, stay in touch on social media...this list goes on and on. Basically anything one can do on a computer, they can do on a phone. The difference being, mobile phones don’t usually have the same type of security software that a computer does, making them an easy vector for malicious activity. Smishing (SMS phishing), scam calls, QR code compromise, and now code injection via HTTP requests in Ivanti that can lead to remote code execution in iOS and Android, as well as others.

Ivanti is an IT software company offering a variety of management and security options. It has a history of mergers with other IT products over the years, and came onto the market with its current name in 2017. This is not the first time the company has been added to CISA’s Known Exploited Vulnerabilities catalog. The current ones are CVE-2026-1281 and CVE-2026-1340, both of which allow unauthenticated RCE. They are quite narrow and specific, but WatchTowr Labs has broken them down, at least for those of us familiar with Bash. And since it’s my job to break that down even further for those who don’t, let’s get started.

Bash is the script Linux code is written in, and is used in many mobile platforms because it doesn’t need much memory space and is generally pretty secure. As in, not many varieties of malware affect Linux, although obviously generally secure does not mean completely invulnerable. As coding languages go, it’s fairly straightforward and easy to learn. In fact, before I even started my cybersecurity training, I learned Bash scripting in a matter of days, much of which was self study. Commands in the language have some hallmarks that are to this day glaring red flags when doing analysis. Exploitation of this pair of vulnerabilities abuse GET and REWRITE.

GET is just what it says on the tin: data seeking. It’s the command for ‘find this thing’. In and of itself, it’s a normal part of any command line. It’s what one does with that data’s endpoint that’s important here. REWRITE is also what it says on the tin: rewriting the command of an if/then request.

Commands are a sequence of switches, essentially. If this, then that. Yes or no. On or off. I recently described digital code as being like DNA. Gene expression is merely a matter of having something switched on or off. This is why inherited traits like facial structure, eye color, even the texture of hair can skip generations. The parent could have a trait, but the child does not, then the child’s child has the trait active again. The gene is always present, it’s just turned on or off. We have tens of thousands of genes, which is what leads to such diversity among us as a species. Digital code is not nearly as complex, but it behaves in much the same way. RCE is, by definition, a switch in command expression by an outside actor.

CVE-2026-1281 and CVE-2026-1340 are vulnerable to manipulations of GET/REWRITE in which an injected command deletes the existing Bash command with a new one in Java. As vulnerabilities go, these take some skill to exploit, as the exploitation showed up in a rather roundabout way, according to WatchTowr’s research. The circumstances require HTTP requests, knowledge of the Java paths and are then subtly inserted in a GET command for a timestamp. But like I said, Bash is easy to learn. And threat actors are constantly finding innovative ways to exploit vulnerabilities for their own ends.

Ivanti has not released details of how these are being exploited in the wild, other than the versions affected. These include 12.5.0.0 and prior, 12.6.0.0 and prior, 12.7.0.0 and prior for CVE-2026-1281. 12.5.1.0 and prior, 12.6.1.0 and prior for CVE-2026-1340. There are patches, but they are a temporary solution involving reinstallment of RPM, the Linux based package manager upon which Ivanti runs. The permanent ‘fix’ will be available when the software upgrades to a new version later in this first quarter of the year. However, there is another way to reduce the chance of falling victim to these RCE’s. Turn off HTTP requests in your phone’s settings, so that it will only process HTTPS. This may affect how some apps function, but that S stands for Secure. It’s there for a reason. And as always, your friendly neighborhood WISP is here to help.

This is Part 2 of our MCP Horror Stories series, an in-depth look at real-world security incidents exposing the vulnerabilities in AI infrastructure, and how the Docker MCP Toolkit delivers enterprise-grade protection. The Model Context Protocol (MCP) promised to be the “USB-C for AI applications” – a universal standard enabling AI agents like ChatGPT, Claude, and GitHub Copilot to safely connect…