The Cybersecurity and Infrastructure Security Agency (CISA) has formally warned of a critical authentication bypass vulnerability in Ivanti Endpoint Manager (EPM), identifying it as CVE-2026-1603. This severe flaw, now cataloged on CISA’s Known Exploited Vulnerabilities (KEV) list, allows remote, unauthenticated attackers to steal sensitive stored credentials without any form of valid login. The vulnerability affects all Ivanti EPM versions prior to the 2024 SU5 release and has been actively exploited in real-world attacks, posing an immediate threat to federal agencies and private sector organizations.
Ivanti Endpoint Manager is a widely adopted client-based platform used by organizations to manage and secure extensive fleets of devices. Due to its central role in network management, any vulnerability that compromises its stored credentials can have significant and widespread repercussions. CISA’s inclusion of CVE-2026-1603 on the KEV list mandates immediate action for federal agencies. The vulnerability is classified under CWE-288, which describes an authentication bypass through an alternate path or channel, enabling an attacker to circumvent normal security checks.
Understanding the Ivanti EPM Authentication Bypass Vulnerability (CVE-2026-1603)
The technical root of CVE-2026-1603 lies in a flaw related to malformed header concatenation within specific endpoints of the Ivanti EPM application. It was discovered that certain API calls within EPM were not subjected to the same authentication controls as other parts of the software, creating an unguarded access route. This vulnerability was initially reported to Ivanti in November 2024 and later publicly disclosed by Trend Micro’s Zero Day Initiative, a program focused on researching and reporting software vulnerabilities.
Exploiting this vulnerability is reportedly straightforward for attackers. By sending a crafted HTTP request containing a specific “magic number,” the integer 64, an attacker can gain direct access to protected EPM endpoints. This access allows them to retrieve encrypted credential data associated with high-privilege accounts, effectively undermining the trust model that organizations rely on for endpoint security. The potential impact includes the theft of Domain Administrator password hashes and service account credentials stored within the management system.
Furthermore, CVE-2026-1603 can be chained with a related SQL injection vulnerability, tracked as CVE-2026-1602. This companion vulnerability, when exploited by an already authenticated attacker, allows for the reading of arbitrary records from the EPM database. The combined exploitation of these two vulnerabilities presents a particularly severe and realistic threat scenario for organizations using the affected Ivanti EPM versions.
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-1603 |
| Vendor / Product | Ivanti / Endpoint Manager (EPM) |
| Vulnerability Type | Authentication Bypass Using an Alternate Path or Channel |
| CWE Classification | CWE-288 |
| Affected Versions | Ivanti EPM versions prior to 2024 SU5 |
| Patched Version | Ivanti EPM 2024 SU5 |
| CISA KEV Added | March 9, 2026 |
| FCEB Patch Due | March 23, 2026 |
| Exploitation Status | Actively exploited in the wild |
| Attack Vector | Remote, unauthenticated network access |
| Impact | Credential leak, lateral movement, privilege escalation |
| Related CVE | CVE-2026-1602 (SQL Injection — chained exploitation) |
The implications of a successful exploit are significant. With stolen credentials, an attacker can move laterally across a compromised network, gain access to additional systems, and escalate privileges with relative ease. The fact that the attack requires no prior authentication makes it particularly alarming for any organization utilizing Ivanti EPM and having network-level access to the management server.
Mitigation and Response Measures
In response to the KEV listing for CVE-2026-1603, Federal Civilian Executive Branch (FCEB) agencies are under a directive, Binding Operational Directive BOD 22-01, to fully patch all affected systems by March 23, 2026. For all organizations running Ivanti EPM, the primary recommendation is to immediately upgrade to version 2024 SU5, which is the patched release addressing this vulnerability.
For those unable to apply the patch immediately, CISA offers several interim mitigation strategies. These include blocking external internet access to EPM management ports 80 and 443 and implementing strict IP allowlisting to ensure only trusted administrative hosts can access the server. Security teams are also advised to enhance monitoring of authentication logs for any unusual access to protected resources and to watch for unexpected API requests originating from unknown external addresses.
Organizations utilizing cloud-based deployments of Ivanti EPM should adhere to the specific guidance provided within BOD 22-01. In situations where no effective mitigations can be implemented, CISA advises discontinuing the use of the Ivanti EPM product until a patch can be successfully deployed. The ongoing exploitation of this vulnerability underscores the critical need for prompt patching and vigilant security practices.