CVE-2026-1281

CVE-2026-1281 — Ivanti EPMM Code Injection Exploitation

Initial Access Execution Persistence Last updated:

Detects exploitation of CVE-2026-1281, a code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile (EPMM). This KEV-listed vulnerability allows remote attackers to inject and execute arbitrary code via the EPMM management interface. Detection focuses on anomalous process execution, suspicious web shell activity, and unexpected outbound connections from EPMM server infrastructure.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Ivanti
Product
Endpoint Manager Mobile (EPMM)

Weakness (CWE)

CWE-94

Timeline

Disclosed
January 29, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-1281 CVE-2026-1281 — Ivanti EPMM Code Injection Exploitation?

CVE-2026-1281 — Ivanti EPMM Code Injection Exploitation (CVE-2026-1281) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-1281 — Ivanti EPMM Code Injection Exploitation, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Windows Security Event Log. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence
Microsoft Sentinel / Defender
kusto 
let epmm_processes = dynamic(['java', 'tomcat', 'mi-dm', 'openapi-generator', 'mics']);
let suspicious_children = dynamic(['cmd.exe', 'powershell.exe', 'sh', 'bash', 'curl', 'wget', 'python', 'python3', 'perl', 'nc', 'ncat', 'nmap']);
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated >= ago(7d)
| where (InitiatingProcessFileName has_any (epmm_processes) or ParentProcessName has_any (epmm_processes))
| where (ProcessCommandLine has_any (suspicious_children) or FileName has_any (suspicious_children))
| extend RiskScore = case(
    ProcessCommandLine has 'whoami' or ProcessCommandLine has 'id', 'HIGH',
    ProcessCommandLine has 'wget' or ProcessCommandLine has 'curl', 'HIGH',
    ProcessCommandLine has 'chmod' or ProcessCommandLine has 'base64', 'MEDIUM',
    'LOW'
  )
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, ParentProcessName, RiskScore
| order by TimeGenerated desc

Detects EPMM service processes (Java/Tomcat) spawning anomalous child processes indicative of code injection exploitation. Covers web shell execution, reverse shell staging, and post-exploitation enumeration commands.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents Windows Security Event Log

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

  • Legitimate administrative scripts run by EPMM service accounts during maintenance
  • Automated health-check or monitoring agents spawned by Tomcat on the EPMM server
  • Patch deployment tooling that temporarily invokes shell commands via the EPMM service user

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-1281 — Ivanti EPMM Code Injection Exploitation (CVE-2026-1281) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-1281 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-1281

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate EPMM Code Injection via Curl to Local Test Endpoint

    Expected signal: Network logs showing POST request to EPMM endpoint; if exploitable, process execution logs for id/whoami/uname commands spawned by Java process.

  2. Test 2Emulate Post-Exploitation Child Process Spawn from Java Parent

    Expected signal: Process creation events showing bash/sh spawned from a process named java_epmm_sim; command line includes id, whoami, hostname.

  3. Test 3Simulate Web Shell Drop and Execution via EPMM Webapps Directory

    Expected signal: File creation event in Tomcat webapps directory for a .jsp file; auditd SYSCALL write/open record pointing to webapps path.

  4. Test 4Simulate Outbound C2 Beacon from EPMM Server Context

    Expected signal: Network connection event from EPMM host to external IP on port 4444; process initiating the connection is curl with parent process in EPMM service context.

Unlock Pro Content

Get the full detection package for CVE-2026-1281 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1505.003Web ShellT1078.002Domain Accounts

Same Tactic: Initial Access

Popular Detections