CISA Added Ivanti EPMM CVE-2026-1281 To KEV On May 13. We Named The Russian IP Owning 83% Of Exploitation On March 17. That's A 57-Day Lead.

CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities catalog on May 13, 2026. It is a code-injection vulnerability in Ivanti Endpoint Manager Mobile that allows unauthenticated remote code execution. The federal patch deadline is short. If you operate Ivanti EPMM and you have not patched, that is the first thing to do after closing this tab.

The reason we are posting today is a receipt.

On March 17, 2026, we published a Threat Sweep that opened with the line "One Russian IP Owns 83% of an Ivanti Zero-Day" and named CVE-2026-1281 and CVE-2026-1340 by identifier. That was 57 days before CISA's KEV listing. The post documented the single-IP concentration in exploitation traffic, the parallel GreyNoise and Unit 42 and Rapid7 disclosures, and the inference that an actor was running a held private capability before the public PoCs landed.

STIX feed subscribers had the indicator on their block list the day we published. The defenders who routed our feed into Splunk ES, OPNsense, Suricata, or Unbound DNS sinkhole on March 17 were filtering the offending traffic for 57 days before CISA confirmed that it warranted federal-deadline urgency.

That gap is the product.

What "57-day lead" means in practice

For a federal civilian agency, the KEV listing is the gating event for the patch deadline. Private-sector defenders work on a different clock. The interesting clock is the gap between when a credible threat-intel pipeline names an actor or an indicator and when the rest of the industry catches up. On CVE-2026-1281, that gap was 57 days on our side. That number is a measurable artifact, not a marketing claim. The original post is dated and indexed. The CISA KEV entry is dated. The arithmetic is the arithmetic.

We do not catch every CVE 57 days early. We have written about the ones we missed too, including a public writeup on a Linux kernel CVE that hit KEV on May 1 where our prior coverage was zero. The honest accounting matters more than the win column. But when we catch one, the receipt is durable and we point at it.

What's on the STIX feed today

The feed is STIX 2.1 over a TAXII 2.1 discovery surface with format adapters for the SIEM and firewall stacks defenders actually run. Splunk ES gets observed-data objects. OPNsense and Suricata get rule-compatible exports. Unbound DNS gets a domain sinkhole list. The same Bearer key works across every format. The cost is zero for individual researchers and a published price for production customers. The registration form is 30 seconds.

The corpus behind the feed is around 1.15 million indicators across nation-state, financial-crime, ransomware, supply-chain, and infrastructure-staging categories, with attribution where it exists and confidence scores that are honest about where it does not. Lead time on the CVE-2026-1281 cluster is one of the bigger numbers in our archive. Lead time on other clusters runs shorter — sometimes hours, sometimes days. The shape we publish about each week is consistent: name the actor when we have attribution, name the indicator when we have it on the wire, and timestamp everything so the receipt is checkable later.

The call to action, written plainly

If you run Ivanti Endpoint Manager Mobile, patch it. CVE-2026-1281 is unauthenticated remote code execution and it is on the KEV catalog because it is being exploited.

If you operate a SIEM, a firewall, or a DNS resolver and you do not yet pull a high-fidelity threat-intel feed, register for ours. The link is at analytics dugganusa dot com slash stix slash register. Thirty seconds, Bearer key issued immediately, free tier covers individual researchers, paid tier covers production-scale ingest with the SLA defenders need.

If you already pull the feed, the action this week is to confirm the CVE-2026-1281 cluster is in your active indicator set. If your downstream SIEM rules are tag-aware, the relevant tag is the CVE identifier. The IP that was named on March 17 has been on the feed since March 17.

If you are a competitor reading this and you are wondering whether the 57-day number is overstated, the receipts are both public. Our March 17 blog post is indexed at the URL it has always carried. The CISA KEV entry is on the CISA website. Run the subtraction.

What we do not claim

We do not claim 100% perfection. We do not claim that every CVE that ever hits KEV will be in our archive 57 days early. We do not claim that the feed replaces patching, EDR, identity, or the human work of running a security program. The feed is one input. The right place to put it is in the same pipeline you already use to ingest commercial threat intel, with the difference that ours is priced for defenders who are not a Fortune 500 and the lead time is real.

Five percent of what we ship is wrong, late, or incomplete. That is the cap we hold. The 95% that is right, including the 57-day lead on CVE-2026-1281, is the part you pay for.

Sources: DugganUSA Threat Sweep dated March 17, 2026, titled "St. Patrick's Day Threat Sweep: One Russian IP, Three Supply Chain Attacks, and a Dead Man's Switch." CISA Known Exploited Vulnerabilities Catalog entry for CVE-2026-1281, added May 13, 2026. Subtract.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.