CVE-2026-6973 IBM QRadar · QRadar

Detect CVE-2026-6973: Ivanti EPMM Improper Input Validation Exploitation in IBM QRadar

Detects exploitation attempts targeting CVE-2026-6973, an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to bypass authentication or execute unauthorized actions against the EPMM management interface.

MITRE ATT&CK

Tactic
Initial Access Persistence Privilege Escalation

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  destinationip,
  URL,
  "responseCode",
  QIDNAME(qid) as event_name,
  COUNT(*) as event_count,
  MIN(starttime) as first_seen,
  MAX(starttime) as last_seen
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Ivanti EPMM', 'Microsoft IIS', 'Apache HTTP Server')
  AND (
    URL ILIKE '%/mifs/%'
    OR URL ILIKE '%/api/v1/%'
    OR URL ILIKE '%/api/v2/%'
    OR URL ILIKE '%/admin/%'
  )
  AND (
    "responseCode" IN ('400', '422', '500')
    OR URL ILIKE '%\%00%'
    OR URL ILIKE '%\%0a%'
    OR URL ILIKE '%\%0d%'
  )
  AND LOGSOURCENAME(logsourceid) ILIKE '%EPMM%'
  AND starttime > NOW() - 3600000
GROUP BY sourceip, destinationip, URL, "responseCode"
HAVING event_count > 5
ORDER BY event_count DESC
LAST 60 MINUTES
critical severity medium confidence

QRadar AQL query to detect repeated malformed or error-generating requests to Ivanti EPMM endpoints, aggregated by source IP to surface exploitation attempts for CVE-2026-6973.

Data Sources

Ivanti EPMM logsIIS web server logsNetwork flow data

Required Tables

events

False Positives & Tuning

  • Legitimate MDM client software with bugs generating repeated malformed requests
  • Network monitoring tools performing availability checks on EPMM endpoints
  • Mobile device enrollment bursts from new device deployments causing request spikes
  • Automated reporting or integration scripts with improper error handling

Other platforms for CVE-2026-6973

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-6973 EPMM Input Validation Probe — Null Byte Injection

    Expected signal: HTTP 400 or 422 responses from EPMM server for null-byte payloads; web server access log entries with %00 in the URL; WAF alert if WAF is present

  2. Test 2CVE-2026-6973 EPMM API Endpoint Fuzzing — Oversized Input

    Expected signal: HTTP 400 or 500 response; web server log entry with large Content-Length header; potential application error log entry on EPMM server

  3. Test 3CVE-2026-6973 EPMM Admin API Unauthorized Access Attempt — CRLF Injection

    Expected signal: HTTP 400/422 responses; EPMM access log entries with CRLF sequences in headers; potential WAF alert on header injection attempt

  4. Test 4CVE-2026-6973 Post-Exploitation — EPMM Unauthorized Admin Enumeration

    Expected signal: Successful HTTP 200 responses to admin API endpoints (if token is valid); authentication/authorization log entries in EPMM audit log; network flow records showing enumeration pattern

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-6973 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1133External Remote ServicesT1565.001Stored Data Manipulation

Same Tactic: Initial Access

Popular Detections