CVE-2026-1340 Splunk · SPL

Detect Ivanti EPMM Code Injection Exploitation (CVE-2026-1340) in Splunk

Detects exploitation attempts targeting CVE-2026-1340, a code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows remote attackers to inject and execute arbitrary code via the EPMM management interface. Successful exploitation may lead to full device management compromise, lateral movement, and data exfiltration from enrolled mobile devices.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("ivanti:epmm", "mobileiron", "iis", "apache", "nginx", "pan:traffic", "cisco:asa")
(uri="/mifs/*" OR uri="/mi/*" OR uri="/api/v1/*" OR uri="/api/v2/*"
 OR url="/mifs/*" OR url="/mi/*" OR url="/api/v1/*" OR url="/api/v2/*"
 OR request="/mifs/*" OR request="/mi/*")
(
  (uri="*eval(*" OR uri="*exec(*" OR uri="*Runtime.exec*" OR uri="*ProcessBuilder*" OR uri="*groovy*" OR uri="*ognl*" OR uri="*javax.script*" OR uri="*${*" OR uri="*#{*")
  OR (request="*eval(*" OR request="*exec(*" OR request="*ProcessBuilder*" OR request="*groovy*" OR request="*ognl*")
  OR (body="*eval(*" OR body="*exec(*" OR body="*ProcessBuilder*" OR body="*ScriptEngine*" OR body="*groovy*" OR body="*ognl*")
)
| eval risk_score=case(
    match(uri, "Runtime\.exec|ProcessBuilder|ScriptEngine"), 90,
    match(uri, "ognl|groovy"), 85,
    match(uri, "eval\(|exec\("), 80,
    true(), 70
  )
| stats count AS request_count, max(risk_score) AS max_risk, values(uri) AS uris, values(status) AS status_codes, min(_time) AS first_seen, max(_time) AS last_seen BY src_ip, dest_ip
| where request_count >= 1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - max_risk
critical severity medium confidence

Detects code injection exploitation attempts against Ivanti EPMM by searching for injection-related patterns in HTTP request URIs and bodies targeting known EPMM API paths.

Data Sources

Ivanti EPMM logsWeb server logs (IIS/Apache/Nginx)Network security logs

Required Sourcetypes

ivanti:epmmmobileironiisapachenginxpan:traffic

False Positives & Tuning

  • Authorized security scanning tools querying EPMM endpoints with special characters in parameters
  • EPMM administrative automation scripts that dynamically construct API queries
  • URL encoding of legitimate data that resembles injection patterns
  • Internal monitoring or health-check systems performing scripted API calls

Other platforms for CVE-2026-1340

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1EPMM API Endpoint Code Injection Pattern Probe

    Expected signal: Web server access logs will show POST requests to /mifs/j_spring_security_check and GET requests to /api/v1/configuration/users with URL-encoded injection patterns. Network security appliances should log the requests with high-severity signatures. Host-based EDR should not show process anomalies for a non-successful probe.

  2. Test 2Simulate Java Process Spawning Shell After EPMM Exploitation

    Expected signal: Process creation events showing java spawning /bin/sh as a child process. EDR telemetry should capture the full process tree: [parent] -> java -> sh -> id/hostname/whoami. Command line arguments visible in process creation logs.

  3. Test 3EPMM Reconnaissance — Unauthenticated API Enumeration

    Expected signal: Web access logs showing sequential requests from a single IP to multiple EPMM administrative paths within a short time window. Firewall or IDS/IPS logs may flag the scanning pattern. HTTP response codes (200, 302, 401, 403) visible in logs.

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-1340 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1210Exploitation of Remote ServicesT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections