Detect Ivanti EPMM Code Injection Exploitation (CVE-2026-1340) in Sumo Logic CSE
Detects exploitation attempts targeting CVE-2026-1340, a code injection vulnerability (CWE-94) in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows remote attackers to inject and execute arbitrary code via the EPMM management interface. Successful exploitation may lead to full device management compromise, lateral movement, and data exfiltration from enrolled mobile devices.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=ivanti/epmm OR _sourceCategory=mobileiron OR _sourceCategory=webserver/access
| where (%"cs-uri-stem" matches "/mifs/*" or %"cs-uri-stem" matches "/mi/*" or %"cs-uri-stem" matches "/api/v1/*" or %"cs-uri-stem" matches "/api/v2/*"
or url matches "/mifs/*" or url matches "/mi/*" or url matches "/api/v1/*" or url matches "/api/v2/*")
| where (%"cs-uri-stem" matches "*eval(*" or %"cs-uri-stem" matches "*exec(*" or %"cs-uri-stem" matches "*ProcessBuilder*" or %"cs-uri-stem" matches "*groovy*" or %"cs-uri-stem" matches "*ognl*"
or url matches "*eval(*" or url matches "*exec(*" or url matches "*ProcessBuilder*" or url matches "*groovy*" or url matches "*ognl*"
or %"cs-uri-query" matches "*eval(*" or %"cs-uri-query" matches "*ProcessBuilder*" or %"cs-uri-query" matches "*groovy*")
| parse field=srcip "*" as source_ip nodrop
| parse field=%"c-ip" "*" as source_ip nodrop
| count by source_ip, url, %"sc-status"
| sort by _count descSumo Logic query for detecting code injection exploitation attempts against Ivanti EPMM management interfaces by correlating URI patterns with code injection signatures.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate EPMM API calls from authorized management consoles containing special characters
- Security scanners performing authorized assessments of the management interface
- Log ingestion pipelines that normalize or encode EPMM event data in ways that mimic injection patterns
- Integration middleware that passes script content through EPMM APIs as part of normal device policy management
Other platforms for CVE-2026-1340
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1EPMM API Endpoint Code Injection Pattern Probe
Expected signal: Web server access logs will show POST requests to /mifs/j_spring_security_check and GET requests to /api/v1/configuration/users with URL-encoded injection patterns. Network security appliances should log the requests with high-severity signatures. Host-based EDR should not show process anomalies for a non-successful probe.
- Test 2Simulate Java Process Spawning Shell After EPMM Exploitation
Expected signal: Process creation events showing java spawning /bin/sh as a child process. EDR telemetry should capture the full process tree: [parent] -> java -> sh -> id/hostname/whoami. Command line arguments visible in process creation logs.
- Test 3EPMM Reconnaissance — Unauthenticated API Enumeration
Expected signal: Web access logs showing sequential requests from a single IP to multiple EPMM administrative paths within a short time window. Firewall or IDS/IPS logs may flag the scanning pattern. HTTP response codes (200, 302, 401, 403) visible in logs.
References (4)
- https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
- https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0S-5.noarch.rpm
- https://support.mobileiron.com/mi/vsp/AB1786671/ivanti-security-update-1761642-1.1.0L-5.noarch.rpm
- https://nvd.nist.gov/vuln/detail/CVE-2026-1340
Unlock Pro Content
Get the full detection package for CVE-2026-1340 including response playbook, investigation guide, and atomic red team tests.