theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-1603

CISA KEV

Published March 9, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2026-1603: Ivanti Endpoint Manager Authentication Bypass Ivanti Endpoint Manager (EPM) contains an authentication bypass flaw that permits remote, unauthenticated attackers to access an alternate code path or channel, exposing stored credential data without requiring valid credentials. **Impact:** Attackers can extract sensitive credentials—likely including domain accounts, API keys, or service account passwords—stored within EPM, enabling lateral movement and privilege escalation across managed endpoints. **Required Actions:** Immediately inventory all Ivanti EPM deployments. Apply patches from Ivanti when released. If patching is delayed, restrict network access to EPM administrative interfaces using firewall rules or network segmentation. Audit EPM logs for suspicious unauthenticated access attempts. Rotate credentials for all accounts managed or stored by affected EPM instances.

Official Description+

Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.

Affected Products

VendorProduct
Ivanti Endpoint Manager (EPM)

Patch Status

Patch by 2026-03-23

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2026-1603.

Related Coverage

Vvulnerability

CVE-2026-1603: Ivanti EPM Authentication Bypass Exposes Stored Credentials to Unauthenticated Attackers

CVE-2026-1603 is an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) that allows remote, unauthenticated attackers to access stored credential data including domain accounts, API keys, and service account passwords. Exploitation enables lateral movement and privilege escalation across all endpoints managed by the affected EPM instance. CISA has mandated federal agency remediation by March 23, 2026, and all organizations running Ivanti EPM should apply patches immediately and rotate affected credentials.

CISA KEV·25d ago·3 min read