Ivanti EPM Authentication Bypass Vulnerability
Summary
CISA has added a vulnerability (CVE-2026-1603) in Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, an authentication bypass allowing credential data leakage, affects versions before 2024 SU5.
What changed
CISA has identified and cataloged a critical authentication bypass vulnerability (CVE-2026-1603) in Ivanti Endpoint Manager (EPM) versions prior to 2024 SU5. This vulnerability, rated with a CVSS score of 8.6 (HIGH), allows unauthenticated remote attackers to bypass authentication and potentially leak stored credential data. The vulnerability has been actively exploited and added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
Organizations utilizing Ivanti EPM must immediately update their systems to version 2024 SU5 or later to remediate this vulnerability. Failure to patch may expose sensitive credential data, leading to further security compromises. This advisory highlights the critical need for prompt patching of known exploited vulnerabilities to maintain system security and prevent data breaches.
What to do next
- Update Ivanti Endpoint Manager to version 2024 SU5 or later.
- Review systems for any signs of compromise related to CVE-2026-1603.
- Consult Ivanti's security advisory for detailed remediation steps.
Source document (simplified)
Required CVE Record Information
CNA: Ivanti
Description
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
CWE 1 Total
Learn more
- CWE-288: CWE-288: Authentication Bypass Using an Alternate Path or Channel
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 8.6 | HIGH | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Product Status
Learn more Versions 1 Total
Default Status: affected
unaffected
- unaffected at 2024 SU5
References 1 Total
Authorized Data Publishers
CISA-ADP
Updated:
2026-03-10
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-02-17 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603 (2026-03-09)
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Vulnerability Management alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.