Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-1281 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-1281 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-1281 is a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows unauthenticated remote attackers to execute arbitrary code on affected systems.

Technical Detail

The flaw exists in Ivanti EPMM and stems from insufficient input validation that permits code injection without requiring any prior authentication. An attacker can send a specially crafted request to the exposed interface to inject and execute malicious code in the context of the application. Successful exploitation results in unauthenticated remote code execution, giving an attacker full control over the affected system and potential access to managed mobile device data and credentials.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active exploitation in the wild has not been formally confirmed by CISA as of this writing. However, the availability of a PoC combined with the critical CVSS score of 9.8 and the unauthenticated attack vector significantly elevates the risk of exploitation in the near term.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Ivanti EPMM has historically been targeted by nation-state actors and opportunistic threat groups, but no campaigns leveraging CVE-2026-1281 specifically have been publicly attributed as of May 8, 2026.

What To Do

Organizations running Ivanti Endpoint Manager Mobile should treat this as a priority patch given the critical severity, unauthenticated attack vector, and public PoC availability. Apply the vendor-supplied patch immediately upon availability and verify the patched version is deployed across all EPMM instances. If patching cannot be completed immediately, restrict network access to the EPMM management interface to trusted IP ranges and monitor for anomalous inbound requests or unexpected process execution originating from the EPMM service. Review Ivanti's official security advisory for specific version guidance and any interim workarounds. Given Ivanti EPMM's prior exploitation history, assume elevated attacker interest and prioritize detection coverage accordingly.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →