Cyber Threat Brief — April 9 2026
1. Ivanti EPMM Pre-Auth RCE — CVE-2026-1340 (+ CVE-2026-1281)
TL;DR: CISA added CVE-2026-1340 to KEV on April 8 with an April 11 federal patch deadline; Unit 42, watchTowr, Arctic Wolf, and Telekom CERT all confirm mass automated exploitation dropping webshells, cryptominers, and dormant backdoors. Two public PoCs live on GitHub — any internet-exposed EPMM without the March RPM patch should be treated as compromised until proven otherwise.
What’s New:
- CISA KEV addition April 8, 2026; BOD 22-01 remediation deadline Saturday April 11 (FCEB).
- Second public PoC published (
MehdiLeDeaut/CVE-2026-1281-Ivanti-EPMM-RCE) with 50+ prebuilt payloads, reverse-shell + webshell modules, and blue-team detection scripts; earlierYunfeiGE18PoC also still live. - Root cause now fully documented: bash arithmetic expansion in
/mi/bin/map-appstore-urlevaluates thehURL parameter (paddedstbypasses length check), reached unauth via Apache RewriteMap on/mifs/c/appstore/fob/*. - Ivanti’s temporary RPM replaces vulnerable bash scripts with compiled Java classes
AFTUrlMapper.java/AppStoreUrlMapper.java— confirm the swap is present post-patch. - Observed post-exploit: webshell drop, XMRig cryptominer, and at least one dormant backdoor strain; Unit 42 reports auth-bypass chaining with historical MobileIron flaws on some hosts.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
GET /mifs/c/appstore/fob/* with kid=, st=, et=, h= params | URI | T1190 | Apache https-access_log (/var/log/httpd/https-access_log), WAF, reverse proxy | Alert on any external hit — Ivanti’s own regex in the Analysis Guide; 404 responses are likely attempted exploitation |
h parameter containing $(, backticks, ` | , ;, &&, or URL-encoded equivalents (%24%28, %60`) | Payload | T1059.004 | Apache access log, Zeek http.log, WAF body capture |
st parameter containing two leading spaces or %20%20 (length-check padding bypass) | Payload | T1190 | Apache access log, WAF | High-fidelity signature — legitimate clients never pad st |
Apache httpd / www-data spawning sh, bash, curl, wget, python, perl, nc, /bin/sh -c | Process | T1059.004 | auditd execve, Sysmon-for-Linux EID 1, EDR | Alert — EPMM Apache workers should never fork shells |
map-appstore-url script invocation with non-numeric arguments, or child processes of map-appstore-url | Process | T1059.004 | auditd, EDR process tree | Hunt — chain this with RewriteMap invocations |
XMRig artifacts, /tmp/.*, /var/tmp/* ELF drops, crontab modifications on EPMM hosts | File | T1496 / T1053.003 | Sysmon FileCreate, Falco, EDR | Alert — post-exploit miner or persistence |
New .jsp / .php files under /mi/tomcat/webapps/, /var/www/, or any EPMM document root | File | T1505.003 | File-integrity monitoring, Falco, EDR | Alert — webshell drop |
Outbound from EPMM to unknown IPs shortly after an /mifs/c/appstore/fob/* hit | Network | T1071.001 | Zeek conn.log, NetFlow, firewall | Hunt — 60s correlation window between inbound exploit and new egress |
EPMM on versions ≤ 12.7.0.0 without the March RPM patch; absence of AFTUrlMapper.class | Exposure | T1590 | Asset inventory, Ivanti console version, package listing | Inventory — isolate or take offline until patched |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Servers Executing Suspicious Processes, Linux Auditd Preload Hijack Library Calls (adjacent) | Need: Ivanti-specific rule keyed on /mifs/c/appstore/fob/* + shell command substitution in query string; parent=httpd child=shell |
| Elastic | Linux Suspicious Child Process From Web Server, Potential Webshell Activity (adjacent) | Need: Ivanti URI-path allowlist rule; regex for $( / %24%28 in h/st/et parameters |
| Sigma | proc_creation_lnx_susp_child_process_from_web_server.yml, web_cve_generic_command_injection.yml | Need: Ivanti-specific proxy rule and bash-script map-appstore-url child-process rule |
Mitigation: Apply Ivanti RPM 12.x.0.x or 12.x.1.x now (required by Saturday for FCEB). If patching is blocked, remove /mi/bin/map-appstore-url from the RewriteMap config, block /mifs/c/appstore/fob/* at the edge, and take EPMM off the public internet. Treat any EPMM appliance with a matching access-log hit as needing DFIR triage — dormant-backdoor reports mean absence of current shell activity does not equal clean.
Sources: CISA KEV · Security Affairs · Unit 42 · Tenable · watchTowr Labs · Arctic Wolf · Horizon3 · Ivanti Advisory · PoC – MehdiLeDeaut · PoC – YunfeiGE18
2. PraisonAI Pre-Auth RCE Pair — CVE-2026-39890 / CVE-2026-39888
TL;DR: Two critical unauthenticated RCEs disclosed April 8 in PraisonAI, the multi-agent framework: CVE-2026-39890 (CVSS 9.8) is js-yaml deserialization via AgentService.loadAgentFromFile, and CVE-2026-39888 (CVSS 9.9) is a sandbox escape in execute_code() via frame-walking through __traceback__. No ITW exploitation yet but public advisories include full PoC mechanics — expect scanning within days.
What’s New:
- CVE-2026-39890 (RCE via YAML):
loadAgentFromFilecallsjs-yamlwithoutFAILSAFE_SCHEMA;!!js/function/!!js/undefinedtags execute embedded JS at parse time. Fixed in 4.5.115. - CVE-2026-39888 (sandbox escape):
execute_code()withsandbox_mode="sandbox"relies on an AST blocklist of only 11 attribute names; attacker raises a caught exception then walks__traceback__.tb_frame.f_back.f_builtinsto recoverexec. Fixed in 1.5.115. - Adjacent advisories published the same day: CVE-2026-39891 (template injection), CVE-2026-39307 (Zip Slip), CVE-2026-39308 (path traversal), CVE-2026-34953 (auth bypass) — treat this as a coordinated PraisonAI advisory cluster.
- No CISA KEV entry, no confirmed ITW — but all three cluster members have public vulnerability writeups, so opportunistic scanning is the near-term expectation.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST / PUT to PraisonAI agent-file upload endpoints (commonly /api/agents/load, /api/agents/upload, /api/v1/agents/*) | URI | T1190 | Web proxy, app access logs, ingress controller | Alert on external POST with Content-Type: application/x-yaml or filename *.yaml / *.yml |
YAML payloads containing !!js/function, !!js/undefined, or tag:yaml.org,2002:js/ | Payload | T1059.007 | WAF body inspection, Zeek http.log post-body | Alert — no legitimate agent file uses these tags |
Python/Node child process from PraisonAI service spawning sh, bash, curl, wget, python -c, node -e | Process | T1059.006 / T1059.007 | auditd, Sysmon-for-Linux, EDR | Alert — PraisonAI worker should not fork arbitrary shells |
Python tracebacks in logs containing f_builtins / f_back / tb_frame attribute access from user-submitted code | Payload | T1027 | Application logs, container stdout | Hunt — sandbox-escape chain signature |
| Outbound from PraisonAI pods/containers to non-allowlisted destinations after agent-file upload | Network | T1071.001 | Zeek conn.log, container egress, CNI flow logs | Hunt — correlate upload timestamps with new egress |
PraisonAI PyPI package versions < 1.5.115 (sandbox) or < 4.5.115 (YAML loader) | Exposure | T1195.001 | SBOM, pip list, image scanner | Inventory — upgrade or isolate |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Detect Webshell Exploit Behavior, Linux Auditd Possible Cron Script Root Execution Attempt (adjacent) | Need: rule matching !!js/function in HTTP POST body + PraisonAI URI paths; Python parent spawning shell |
| Elastic | Suspicious Python Child Process, Suspicious Node.js Child Process | Need: js-yaml unsafe-tag regex rule keyed on agent-upload endpoints |
| Sigma | proc_creation_lnx_susp_child_process_from_web_server.yml (adjacent) | Need: PraisonAI-specific proxy rule and Python-sandbox frame-walk audit rule |
Mitigation: Upgrade to PraisonAI ≥ 4.5.115 (and praisonaiagents ≥ 1.5.115) immediately; if blocked, put the agent-file-upload API behind authenticated proxy, strip Content-Type: application/x-yaml, and run PraisonAI in a minimal container with no outbound egress. Audit SBOMs for transitive pulls of vulnerable PraisonAI.
Sources: TheHackerWire – 39890 · TheHackerWire – 39888 · TheHackerWire – 39891 template injection · GitLab Advisory – 39307 Zip Slip · GitLab Advisory – 39308 path traversal
Status Updates
- CVE-2026-35616 (Fortinet FortiClient EMS): CISA KEV federal remediation deadline passed April 9. Confirm EMS hotfix applied; treat unpatched internet-facing EMS as compromise-presumed. Original brief.
- CVE-2025-59528 (Flowise CustomMCP): No new ITW telemetry since April 8 disclosure; Starlink-attributed source IP continues probing honeypots per VulnCheck. Upgrade to ≥3.1.1 remains the only mitigation. Original brief.
- BlueHammer Windows LPE: Still unpatched, no CVE assigned; both Chaotic Eclipse and 0xjustBen PoC forks live. Continue Sysmon hunts on
IMpServiceRPC calls and junctions underC:\ProgramData\Microsoft\Windows Defender\. Original brief. - CVE-2026-5281 (Chrome Dawn WebGPU): KEV deadline April 15; no additional exploitation reports. Original brief.