Key Takeaway
CVE-2026-1603 is an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) that allows remote, unauthenticated attackers to access an alternate authentication channel and extract stored credential data. The flaw requires no prior access or user interaction, making internet-exposed EPM instances immediately at risk. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog with a federal patch deadline of March 23, 2026.
CVE-2026-1603: Ivanti Endpoint Manager Authentication Bypass
Affected Product: Ivanti Endpoint Manager (EPM) Vulnerability Type: Authentication Bypass via Alternate Path or Channel Attack Vector: Remote, Unauthenticated CISA KEV Patch Deadline: March 23, 2026
Vulnerability Overview
CVE-2026-1603 is an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) that allows a remote, unauthenticated attacker to access protected functionality through an alternate authentication path or channel. Successful exploitation enables credential data leakage — specifically, the retrieval of sensitive credentials stored within the EPM platform.
No valid session token, username, or password is required to trigger the vulnerability. An attacker with network access to an exposed EPM instance can bypass the standard authentication gate entirely and directly query stored credential material.
Technical Details
The flaw falls under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). This class of vulnerability arises when an application enforces authentication controls on the primary access path but leaves secondary or internal endpoints accessible without equivalent enforcement.
In Ivanti EPM's case, the alternate channel provides read access to stored credentials — data that EPM manages as part of its core function of deploying software, configurations, and policies across enterprise endpoints. Depending on what credentials EPM stores in a given environment, this can include service account passwords, administrative credentials, or domain-joined system secrets.
The remote, unauthenticated nature of the attack vector means no prior foothold is required. An attacker who can reach the EPM server over the network — whether from the internet or an internal segment — can execute the exploit without user interaction.
Real-World Impact
Ivanti EPM is widely deployed in enterprise environments as a centralized management platform for Windows endpoints. Organizations use it to push software, enforce policies, and manage device configurations at scale. The credential store EPM maintains is therefore a high-value target.
Exploitation of CVE-2026-1603 could allow an attacker to extract credentials and use them to move laterally across the network, escalate privileges, or gain persistent access to managed endpoints. Because EPM typically operates with elevated permissions across the environment, the blast radius of a credential compromise originating from EPM is broad.
CISA has added CVE-2026-1603 to the Known Exploited Vulnerabilities (KEV) catalog and mandated that federal civilian executive branch (FCEB) agencies remediate by March 23, 2026. The KEV listing indicates the agency has determined the vulnerability poses meaningful risk in active environments.
Ivanti has faced sustained scrutiny over its product security posture following multiple high-profile vulnerability disclosures across its product line — including CVE-2025-0282 and CVE-2024-21887 in Ivanti Connect Secure — several of which were exploited by nation-state actors before patches were available. Organizations running Ivanti products should treat new disclosures as high-priority given this track record.
Detection Guidance
SOC analysts should review Ivanti EPM access logs for the following indicators:
- Authentication attempts that do not follow normal session establishment patterns
- Requests to internal or administrative API endpoints from unauthenticated sources
- Unusual access to credential-related database tables or configuration files
- Network connections to EPM from unexpected source IPs, particularly external addresses
Log coverage depends on EPM's configured audit verbosity. If EPM logging has not been tuned, analysts may have limited visibility into alternative-path access attempts. Increasing log granularity should be an immediate operational step.
Patching and Mitigation
1. Apply vendor patches immediately. Contact Ivanti directly for patch availability and version guidance specific to your EPM deployment. Monitor Ivanti's security advisories at ivanti.com/security for official patch releases.
2. Isolate EPM servers from untrusted networks. Until a patch is applied, restrict network access to EPM management interfaces using firewall rules or network segmentation. EPM should not be reachable from the public internet under any operational requirement.
3. Audit stored credentials. Inventory what credentials are stored within EPM. Prioritize rotation for any high-privilege accounts — domain administrators, service accounts, or accounts with access to sensitive systems.
4. Review EPM access logs. Perform a retrospective review of EPM authentication and access logs for suspicious activity prior to patching. Assume compromise is possible if the instance was network-accessible before mitigation.
5. Enforce network access controls. Apply allowlist-based IP restrictions to EPM administrative interfaces. Only management workstations and jump hosts with defined IP ranges should have access.
6. Federal agencies must patch by March 23, 2026 per CISA's Binding Operational Directive 22-01 requirements tied to the KEV catalog listing.
Organizations that cannot patch immediately must treat network isolation as a non-negotiable interim control. An unauthenticated credential leak from a platform with EPM's level of access represents a direct path to broad enterprise compromise.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-1603: Ivanti EPM Authentication Bypass Exposes Stored Credentials to Unauthenticated Attackers
CVE-2026-1603 is an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) that allows remote, unauthenticated attackers to access stored credential data including domain accounts, API keys, and service account passwords. Exploitation enables lateral movement and privilege escalation across all endpoints managed by the affected EPM instance. CISA has mandated federal agency remediation by March 23, 2026, and all organizations running Ivanti EPM should apply patches immediately and rotate affected credentials.