CVE-2026-6973: Ivanti EPMM Improper Input Validation Exploitation
Detects exploitation attempts targeting CVE-2026-6973, an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to bypass authentication or execute unauthorized actions against the EPMM management interface.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Ivanti
- Product
- Endpoint Manager Mobile (EPMM)
Weakness (CWE)
Timeline
- Disclosed
- May 7, 2026
CVSS
What is CVE-2026-6973 CVE-2026-6973: Ivanti EPMM Improper Input Validation Exploitation?
CVE-2026-6973: Ivanti EPMM Improper Input Validation Exploitation (CVE-2026-6973) maps to the Initial Access and Persistence and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-6973: Ivanti EPMM Improper Input Validation Exploitation, covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureDiagnostics. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union isfuzzy=true
(
CommonSecurityLog
| where DeviceVendor == "Ivanti" or DeviceProduct has_any ("EPMM", "MobileIron")
| where RequestURL has_any ("/mifs/", "/api/v1/", "/api/v2/", "/admin/")
| where Activity has_any ("400", "422", "500") or AdditionalExtensions has "malformed"
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, Activity, AdditionalExtensions
),
(
W3CIISLog
| where csUriStem has_any ("/mifs/", "/api/v1/", "/api/v2/")
| where scStatus in ("400", "422", "500") or csUriQuery matches regex @"[\x00-\x1f%00-%1f]"
| project TimeGenerated, cIP, csUriStem, csUriQuery, scStatus, csUserAgent
),
(
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where requestUri_s has_any ("/mifs/", "/api/v1/", "/api/v2/")
| where httpStatus_d in (400, 422, 500)
| project TimeGenerated, clientIP_s, requestUri_s, httpStatus_d, userAgent_s
)
| extend AccountCustomEntity = iff(isnotempty(SourceIP), SourceIP, cIP)
| extend IPCustomEntity = iff(isnotempty(SourceIP), SourceIP, cIP)Detects anomalous or malformed HTTP requests targeting Ivanti EPMM API and admin endpoints, which may indicate exploitation of CVE-2026-6973 improper input validation. Looks for error responses and suspicious request patterns across IIS logs, common security logs, and Azure Application Gateway diagnostics.
Data Sources
Required Tables
False Positives
- Legitimate automated scanners or vulnerability assessment tools probing the EPMM interface
- Misconfigured MDM clients sending malformed enrollment requests resulting in 400/422 errors
- Load balancer health checks generating unexpected HTTP response codes
- Administrative API calls with unusual but valid payloads during migration or upgrade activities
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-6973: Ivanti EPMM Improper Input Validation Exploitation (CVE-2026-6973) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-6973
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-6973 EPMM Input Validation Probe — Null Byte Injection
Expected signal: HTTP 400 or 422 responses from EPMM server for null-byte payloads; web server access log entries with %00 in the URL; WAF alert if WAF is present
- Test 2CVE-2026-6973 EPMM API Endpoint Fuzzing — Oversized Input
Expected signal: HTTP 400 or 500 response; web server log entry with large Content-Length header; potential application error log entry on EPMM server
- Test 3CVE-2026-6973 EPMM Admin API Unauthorized Access Attempt — CRLF Injection
Expected signal: HTTP 400/422 responses; EPMM access log entries with CRLF sequences in headers; potential WAF alert on header injection attempt
- Test 4CVE-2026-6973 Post-Exploitation — EPMM Unauthorized Admin Enumeration
Expected signal: Successful HTTP 200 responses to admin API endpoints (if token is valid); authentication/authorization log entries in EPMM audit log; network flow records showing enumeration pattern
Unlock Pro Content
Get the full detection package for CVE-2026-6973 including response playbook, investigation guide, and atomic red team tests.