Ivanti Endpoint Manager Authentication Bypass and SQL Injection Vulnerabilities
Ivanti released security updates for Endpoint Manager (EPM) to fix two vulnerabilities affecting EPM 2024 SU4 SR1 and earlier: CVE-2026-1603 (CVSS 8.6) and CVE-2026-1602 (CVSS 6.5). CVE-2026-1603 is an authentication bypass that can be exploited by a remote, unauthenticated attacker to access/leak specific stored credential data, creating a high-risk path to credential exposure and follow-on compromise in environments where EPM operates with elevated privileges across endpoints.
CVE-2026-1602 is a SQL injection issue that requires authentication and can allow a remote authenticated attacker to read arbitrary data from the EPM database, driving confidentiality risk (data leakage) rather than integrity/availability impact. The fixed release is EPM 2024 SU5, and the update also addresses 11 medium-severity vulnerabilities previously disclosed in October 2025; organizations running affected versions were advised to patch immediately due to the platform’s central role in enterprise endpoint administration.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ZDI publicly discloses CVE-2026-1603 technical details
Zero Day Initiative published advisory ZDI-26-080 for CVE-2026-1603, describing the AuthHelper authentication bypass, its remote exploitability without credentials, and its CVSS 8.6 severity. The disclosure noted Ivanti had already released an update and advisory as part of coordinated public release.
Belgium CCB warns organizations to patch Ivanti EPM immediately
Belgium's Centre for Cybersecurity Belgium published an advisory warning about the Ivanti Endpoint Manager vulnerabilities and urging immediate patching. The notice amplified the vendor's security update to affected organizations.
Ivanti releases EPM 2024 SU5 to patch two vulnerabilities
Ivanti released Endpoint Manager 2024 SU5 to fix CVE-2026-1603, a high-severity authentication bypass that can leak stored credential data, and CVE-2026-1602, a medium-severity SQL injection that can expose arbitrary database data. The flaws affect EPM 2024 SU4 SR1 and earlier, and Ivanti said it had observed no active exploitation before disclosure.
Researcher reports Ivanti EPM authentication bypass to vendor
A researcher working with Trend Zero Day Initiative reported the Ivanti Endpoint Manager authentication bypass vulnerability CVE-2026-1603 (ZDI-CAN-26885) to Ivanti through coordinated disclosure. ZDI states the report was submitted on November 25, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ZDI-26-080 | Zero Day Initiative
zerodayinitiative.com
Open sourceWarning: Security update for Ivanti Endpoint Manager vulnerabilities, Patch Immediately! | CCB Safeonweb
ccb.belgium.be
Open sourceIvanti Endpoint Manager Vulnerability Lets Remote Attacker Leak Arbitrary Data
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerability in Ivanti Endpoint Manager (CVE-2025-10573)
Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) software, which allows unauthenticated remote attackers to execute arbitrary JavaScript code via a stored cross-site scripting (XSS) attack. The flaw enables attackers to register fake managed endpoints to the EPM server, thereby injecting malicious JavaScript into the administrator web dashboard. When an administrator interacts with the compromised dashboard, the attacker can hijack the session and potentially gain full control over the EPM environment. Ivanti has released a patch (EPM 2024 SU4 SR1) to address this issue and strongly urges customers to update, especially since hundreds of EPM instances are exposed to the internet, increasing the risk of exploitation. The vulnerability, assigned a CVSS score of 9.6, affects EPM versions 2024 SU4 and below. Security researchers at Rapid7, who discovered and reported the flaw, emphasize the urgency of patching due to the unauthenticated nature of the attack vector. Ivanti EPM is widely used for endpoint management, remote administration, and compliance, making it a high-value target for attackers. In addition to CVE-2025-10573, Ivanti has also released fixes for three other high-severity vulnerabilities in the same update cycle. Security teams are advised to apply the latest patches immediately and review the exposure of EPM instances to the internet to mitigate the risk of compromise.
Mar 21, 2026
CISA Flags Actively Exploited Ivanti Endpoint Manager Authentication Bypass (CVE-2026-1603)
**CISA added Ivanti Endpoint Manager (EPM) vulnerability `CVE-2026-1603` to the Known Exploited Vulnerabilities (KEV) catalog**, warning it is being actively exploited and directing U.S. federal agencies to remediate within mandated timelines. The flaw is described as an **authentication bypass** (CWE-288) that allows **remote, unauthenticated** attackers to access and **steal sensitive stored credential data**, creating elevated risk because EPM is commonly used as a central platform for managing large endpoint fleets. Ivanti addressed `CVE-2026-1603` in **Ivanti EPM 2024 SU5**; reporting indicates the same release also fixed an **SQL injection** issue that could allow authenticated attackers to read arbitrary database data. Public reporting notes CISA did not provide detailed exploitation telemetry, and Ivanti stated it was not aware of customer exploitation prior to public disclosure; external monitoring cited **700+ internet-facing EPM instances** observed by Shadowserver, underscoring potential exposure where systems remain unpatched.
Mar 21, 2026
Ivanti EPMM Zero-Day CVE-2026-6973 Exploited via Stolen Admin Credentials
Ivanti disclosed active exploitation of **CVE-2026-6973**, a high-severity improper input validation flaw in on-premises **Endpoint Manager Mobile (EPMM)** that allows remote code execution when used with administrator authentication. The company said exploitation has been limited to a small number of customers and assessed with high confidence that attackers are using administrator credentials stolen during earlier January attacks involving **CVE-2026-1281** and **CVE-2026-1340**. Affected versions are EPMM releases prior to **12.6.1.1**, **12.7.0.1**, and **12.8.0.1**; Ivanti said **Neurons for MDM**, **EPM**, **Sentry**, and other products are not affected. Ivanti also patched four additional high-severity EPMM flaws—**CVE-2026-5786**, **CVE-2026-5787**, **CVE-2026-5788**, and **CVE-2026-7821**—covering certificate validation and access-control weaknesses that could enable host impersonation, unauthorized access, arbitrary method invocation, and unauthorized device enrollment, though the vendor said it has no evidence those bugs were exploited. **CISA** added CVE-2026-6973 to its **Known Exploited Vulnerabilities** catalog and ordered U.S. federal agencies to remediate by **May 10, 2026**, while national cyber agencies in Canada and Finland urged immediate patching. Ivanti advised customers to rotate EPMM administrator credentials, review privileged accounts, hunt for compromise artifacts such as webshells and reverse shells, and reduce public exposure of management interfaces; internet scans have identified more than **850** exposed EPMM instances, mainly in Europe and North America.
May 10, 2026