Detection Notes: Ivanti EPMM Remote Code Execution Added to CISA KEV After Exploitation
Ivanti EPMM contains an improper input validation vulnerability that allows a remotely authenticated administrative user to achieve remote code execution. NVD confirms the CVE is in CISA KEV.
These are defensive detection notes only. No exploit instructions, payloads, or weaponized commands are included.
Detection objective
Detect activity consistent with the public reporting around Ivanti EPMM Remote Code Execution Added to CISA KEV After Exploitation without inventing indicators not present in the source material. The detection goal is behavior-first monitoring, not blind IOC matching.
Useful telemetry
| Telemetry source | What to review |
|---|---|
| Identity provider logs | MFA changes, risky sign-ins, impossible travel, new sessions, OAuth grants, service-account use |
| Endpoint telemetry | Suspicious process ancestry, archive tools, credential access behavior, remote-access tool execution |
| SaaS audit logs | Bulk exports, mailbox rules, admin role changes, token creation, third-party app access |
| Network and DNS logs | New outbound destinations, unusual ports, proxy anomalies, beacon-like patterns |
| Cloud control plane | New keys, policy changes, role assumption, storage access, suspicious automation |
Hunting approach
Start from exposure. If the affected technology or behavior is not present, document that and move on. If it is present, review the last 30 to 90 days depending on log availability and risk. Focus on changes that an attacker would need: access, persistence, privilege, collection, exfiltration, and recovery disruption.
Alerting ideas
Create alerts for new remote-access tooling on servers, suspicious MFA resets, sensitive SaaS exports, unexpected admin account creation, new cloud access keys, and large archive creation followed by outbound transfer. Keep alert logic behavior-based unless the source publishes trusted indicators.
Limits of public verification
This post is intentionally conservative. It only uses facts visible in the listed public sources and does not add unverified exploit steps, indicators, victim counts, affected versions, or attribution. CVEs: CVE-2026-6973
Response notes
If suspicious activity is found, preserve logs before containment, snapshot affected cloud and endpoint evidence where possible, rotate exposed credentials, revoke suspicious tokens, and validate backup integrity.
Sources
- https://nvd.nist.gov/vuln/detail/CVE-2026-6973
- https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973
- https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html
