A serious security flaw in Ivanti Endpoint Manager has caught federal attention after the Cybersecurity and Infrastructure Security Agency (CISA) added it to the Known Exploited Vulnerabilities (KEV) catalog on March 9, 2026.
Tracked as CVE-2026-1603, this authentication bypass vulnerability affects all versions of Ivanti Endpoint Manager prior to the 2024 SU5 release and enables a remote, unauthenticated attacker to steal sensitive stored credential data without requiring any form of valid login credentials.
Ivanti Endpoint Manager, commonly referred to as EPM, is a widely deployed client-based endpoint management platform that organizations use to manage and secure large fleets of devices across their networks.
Since the platform sits at the very center of an organization’s device management infrastructure, any flaw that exposes its stored credentials can have far-reaching consequences.
The vulnerability is classified under CWE-288, which describes an authentication bypass through an alternate path or channel — meaning the product provides a secondary access route that completely skips the normal authentication and verification process.
CISA analysts identified this vulnerability as actively exploited in the wild, confirming that it presents an immediate and serious threat to both federal agencies and private enterprise environments.
The flaw was originally reported to Ivanti in November 2024 and was later publicly disclosed through Trend Micro’s Zero Day Initiative, a program that researches and reports software vulnerabilities to vendors and the broader security community.
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-1603 |
| Vendor / Product | Ivanti / Endpoint Manager (EPM) |
| Vulnerability Type | Authentication Bypass Using an Alternate Path or Channel |
| CWE Classification | CWE-288 |
| Affected Versions | Ivanti EPM versions prior to 2024 SU5 |
| Patched Version | Ivanti EPM 2024 SU5 |
| CISA KEV Added | March 9, 2026 |
| FCEB Patch Due | March 23, 2026 |
| Exploitation Status | Actively exploited in the wild |
| Ransomware Use | Unknown |
| Attack Vector | Remote, unauthenticated network access |
| Impact | Credential leak, lateral movement, privilege escalation |
| Related CVE | CVE-2026-1602 (SQL Injection — chained exploitation) |
In response to the KEV listing, Federal Civilian Executive Branch (FCEB) agencies have been issued a formal directive under Binding Operational Directive BOD 22-01, requiring all affected systems to be fully patched no later than March 23, 2026.
The full impact of CVE-2026-1603 extends well beyond a straightforward data exposure. Researchers confirmed that successful exploitation grants an attacker direct access to the EPM Credential Vault, enabling the theft of Domain Administrator password hashes and service account credentials stored within the management system.
Armed with these credentials, an attacker can move laterally across the target network, accessing additional systems and escalating privileges with minimal effort.
The vulnerability is particularly alarming because it requires no prior authentication whatsoever — any attacker with network-level access to the EPM management server can carry out the attack.
How Attackers Exploit the Authentication Bypass
The technical source of CVE-2026-1603 is a malformed header concatenation flaw within a specific endpoint inside the EPM application.
Certain API calls in Ivanti EPM were never subjected to the same authentication controls that govern the rest of the software, leaving an unguarded access path that attackers can use without ever submitting valid credentials.
Research revealed that the exploit is surprisingly easy to carry out — by sending a crafted HTTP request that includes a specific numeric value known as a magic number, the integer 64, an attacker can directly reach protected EPM endpoints and pull encrypted credential blobs associated with high-privilege accounts.
This effectively destroys the endpoint management trust model that enterprises depend on to keep their device ecosystems safe.
Furthermore, CVE-2026-1603 can be chained together with a companion SQL injection vulnerability, CVE-2026-1602, which allows a separately authenticated attacker to read arbitrary records from the EPM database — making combined exploitation a particularly severe and realistic threat scenario.
Organizations running Ivanti EPM should immediately upgrade to version 2024 SU5, the only release in which this flaw has been addressed.
For teams unable to apply the patch right away, CISA recommends blocking external internet access to EPM management ports 80 and 443 and enforcing strict IP allowlisting so that only trusted administrative hosts can communicate with the server.
Security teams should also monitor authentication logs for unexpected access to protected resources and watch for unusual API requests from unknown external addresses.
Organizations using cloud-based deployments are directed to follow the applicable BOD 22-01 guidance. When no mitigations are feasible, CISA advises discontinuing use of the product until a patch can be deployed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
