Ivanti EPMM Code Injection Exploitation (CVE-2026-1340)
Detects exploitation attempts targeting CVE-2026-1340, a code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows remote attackers to inject and execute arbitrary code via the EPMM management interface. Successful exploitation may lead to full device management compromise, lateral movement, and data exfiltration from enrolled mobile devices.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Ivanti
- Product
- Endpoint Manager Mobile (EPMM)
Weakness (CWE)
Timeline
- Disclosed
- April 8, 2026
References & Proof of Concept
- https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
- https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0S-5.noarch.rpm
- https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0L-5.noarch.rpm
- https://nvd.nist.gov/vuln/detail/CVE-2026-1340
CVSS
What is CVE-2026-1340 Ivanti EPMM Code Injection Exploitation (CVE-2026-1340)?
Ivanti EPMM Code Injection Exploitation (CVE-2026-1340) (CVE-2026-1340) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Ivanti EPMM Code Injection Exploitation (CVE-2026-1340), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureDiagnostics. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SuspiciousEPMMPaths = dynamic(["/mifs/", "/mi/", "/api/v1/", "/api/v2/"]);
let InjectionPatterns = dynamic(["eval(", "exec(", "Runtime.exec", "ProcessBuilder", "ScriptEngine", "javax.script", "groovy", "ognl", "${{", "#{{"]);
union isfuzzy=true
(
CommonSecurityLog
| where DeviceVendor has_any ("Ivanti", "MobileIron")
| where RequestURL has_any (SuspiciousEPMMPaths)
| where Message has_any (InjectionPatterns) or RequestURL has_any (InjectionPatterns)
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, RequestMethod, Message, DeviceVendor, DeviceProduct, EventOutcome
),
(
W3CIISLog
| where csUriStem has_any (SuspiciousEPMMPaths)
| where csUriQuery has_any (InjectionPatterns) or csUriStem has_any (InjectionPatterns)
| project TimeGenerated, cIP, csUriStem, csUriQuery, scStatus, csMethod
),
(
AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where requestUri_s has_any (SuspiciousEPMMPaths)
| where Message has_any (InjectionPatterns) or details_message_s has_any (InjectionPatterns)
| project TimeGenerated, clientIp_s, requestUri_s, action_s, Message
)
| extend AccountCustomEntity = SourceIP, IPCustomEntity = SourceIP
| summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SourceIP, RequestURL, RequestMethod
| where EventCount >= 1
| order by LastSeen descDetects HTTP requests to Ivanti EPMM endpoints containing code injection patterns in request URLs, parameters, or log messages. Covers CommonSecurityLog (network security appliances), W3C IIS logs, and Azure WAF logs.
Data Sources
Required Tables
False Positives
- Legitimate administrative scripts or automation tools interacting with EPMM API that use dynamic expressions in query parameters
- Security scanners or vulnerability assessment tools performing authorized scans of the EPMM management interface
- EPMM internal health check or monitoring agents that generate similar URL patterns
- Penetration testing or red team exercises with prior authorization
Sigma rule & cross-platform mapping
The detection logic for Ivanti EPMM Code Injection Exploitation (CVE-2026-1340) (CVE-2026-1340) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-1340
References (4)
- https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
- https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0S-5.noarch.rpm
- https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0L-5.noarch.rpm
- https://nvd.nist.gov/vuln/detail/CVE-2026-1340
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1EPMM API Endpoint Code Injection Pattern Probe
Expected signal: Web server access logs will show POST requests to /mifs/j_spring_security_check and GET requests to /api/v1/configuration/users with URL-encoded injection patterns. Network security appliances should log the requests with high-severity signatures. Host-based EDR should not show process anomalies for a non-successful probe.
- Test 2Simulate Java Process Spawning Shell After EPMM Exploitation
Expected signal: Process creation events showing java spawning /bin/sh as a child process. EDR telemetry should capture the full process tree: [parent] -> java -> sh -> id/hostname/whoami. Command line arguments visible in process creation logs.
- Test 3EPMM Reconnaissance — Unauthenticated API Enumeration
Expected signal: Web access logs showing sequential requests from a single IP to multiple EPMM administrative paths within a short time window. Firewall or IDS/IPS logs may flag the scanning pattern. HTTP response codes (200, 302, 401, 403) visible in logs.
Unlock Pro Content
Get the full detection package for CVE-2026-1340 including response playbook, investigation guide, and atomic red team tests.