Detect CVE-2026-1281 — Ivanti EPMM Code Injection Exploitation in Microsoft Sentinel
Detects exploitation of CVE-2026-1281, a code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile (EPMM). This KEV-listed vulnerability allows remote attackers to inject and execute arbitrary code via the EPMM management interface. Detection focuses on anomalous process execution, suspicious web shell activity, and unexpected outbound connections from EPMM server infrastructure.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
KQL Detection Query
let epmm_processes = dynamic(['java', 'tomcat', 'mi-dm', 'openapi-generator', 'mics']);
let suspicious_children = dynamic(['cmd.exe', 'powershell.exe', 'sh', 'bash', 'curl', 'wget', 'python', 'python3', 'perl', 'nc', 'ncat', 'nmap']);
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated >= ago(7d)
| where (InitiatingProcessFileName has_any (epmm_processes) or ParentProcessName has_any (epmm_processes))
| where (ProcessCommandLine has_any (suspicious_children) or FileName has_any (suspicious_children))
| extend RiskScore = case(
ProcessCommandLine has 'whoami' or ProcessCommandLine has 'id', 'HIGH',
ProcessCommandLine has 'wget' or ProcessCommandLine has 'curl', 'HIGH',
ProcessCommandLine has 'chmod' or ProcessCommandLine has 'base64', 'MEDIUM',
'LOW'
)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, ParentProcessName, RiskScore
| order by TimeGenerated descDetects EPMM service processes (Java/Tomcat) spawning anomalous child processes indicative of code injection exploitation. Covers web shell execution, reverse shell staging, and post-exploitation enumeration commands.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative scripts run by EPMM service accounts during maintenance
- Automated health-check or monitoring agents spawned by Tomcat on the EPMM server
- Patch deployment tooling that temporarily invokes shell commands via the EPMM service user
Other platforms for CVE-2026-1281
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate EPMM Code Injection via Curl to Local Test Endpoint
Expected signal: Network logs showing POST request to EPMM endpoint; if exploitable, process execution logs for id/whoami/uname commands spawned by Java process.
- Test 2Emulate Post-Exploitation Child Process Spawn from Java Parent
Expected signal: Process creation events showing bash/sh spawned from a process named java_epmm_sim; command line includes id, whoami, hostname.
- Test 3Simulate Web Shell Drop and Execution via EPMM Webapps Directory
Expected signal: File creation event in Tomcat webapps directory for a .jsp file; auditd SYSCALL write/open record pointing to webapps path.
- Test 4Simulate Outbound C2 Beacon from EPMM Server Context
Expected signal: Network connection event from EPMM host to external IP on port 4444; process initiating the connection is curl with parent process in EPMM service context.
References (4)
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340
- https://nvd.nist.gov/vuln/detail/CVE-2026-1281
- https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0S-5.noarch.rpm
- https://support.mobileiron.com/mi/vsp/AB1771634/ivanti-security-update-1761642-1.0.0L-5.noarch.rpm
Unlock Pro Content
Get the full detection package for CVE-2026-1281 including response playbook, investigation guide, and atomic red team tests.