The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly disclosed security vulnerability affecting Ivanti Endpoint Manager (EPM) to its Known Exploited
Vulnerabilities (KEV) Catalog, warning that the issue is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-1603, allows attackers to bypass authentication protections and potentially access sensitive credential data stored within the system.
Ivanti Endpoint Manager is widely used by organizations to manage endpoints, deploy software, and enforce security policies across enterprise networks.
Because of its privileged role in IT infrastructure, vulnerabilities in the platform can pose serious risks if exploited by threat actors.
According to CISA, CVE-2026-1603 is an authentication bypass vulnerability caused by the use of an alternate path or channel in the application. The vulnerability is associated with CWE-288, a weakness category that refers to improper authentication mechanisms.
If exploited, the vulnerability could allow a remote, unauthenticated attacker to bypass standard authentication controls and retrieve specific stored credential data from the system.
While details about the exact attack technique have not been publicly disclosed, such vulnerabilities can often be leveraged to gain deeper access to enterprise environments.
Security researchers warn that authentication bypass vulnerabilities are especially dangerous because they remove one of the most important security barriers protecting internal systems.
In environments where endpoint management platforms control thousands of devices, a successful attack could expose credentials used for administrative access or system management.
Ivanti Endpoint Manager Vulnerability
CISA added CVE-2026-1603 to its CISA’s Known Exploited Vulnerabilities catalog on March 9, 2026, signaling that the vulnerability has already been observed in active attacks.
The KEV catalog serves as an authoritative list of security vulnerabilities confirmed to be exploited in real-world incidents.
It is designed to help organizations prioritize patching and remediation efforts based on active threat intelligence rather than theoretical risk.
For U.S. federal agencies, inclusion in the KEV catalog triggers mandatory remediation timelines under Binding Operational Directive (BOD) 22-01. Agencies are required to apply mitigations or patches for this vulnerability by March 23, 2026.
Although there is currently no confirmation that the vulnerability is being used in ransomware campaigns, the potential for credential exposure makes it a high-value target for cybercriminal groups.
Mitigations
CISA is urging organizations that use Ivanti Endpoint Manager to review their environments and apply vendor-recommended mitigations immediately.
Security teams should prioritize the following actions:
- Apply security updates or mitigations provided by Ivanti as soon as they become available.
- Follow CISA’s Binding Operational Directive (BOD) 22-01 guidelines for vulnerability remediation.
- Monitor network logs and endpoint activity for signs of unauthorized access or credential exposure.
- Restrict external access to endpoint management infrastructure wherever possible.
If patches or mitigations are not available, CISA advises organizations to consider temporarily discontinuing the use of affected systems until the issue can be properly addressed.
CISA encourages organizations across both public and private sectors to integrate the KEV catalog into their vulnerability management workflows.
Unlike traditional vulnerability lists that include theoretical risks, the KEV catalog highlights vulnerabilities that attackers are actively exploiting.
By prioritizing remediation of KEV-listed vulnerabilities, organizations can significantly reduce their exposure to real-world cyber threats and better defend against ongoing attack campaigns targeting critical infrastructure and enterprise systems.
As threat actors continue to focus on enterprise management tools, security experts stress the importance of rapid patching, continuous monitoring, and strict access controls to reduce the risk posed by vulnerabilities like CVE-2026-1603.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
