Ivanti Endpoint Manager Authentication Bypass and SQL Injection Vulnerabilities
Ivanti released security updates for Endpoint Manager (EPM) to fix two vulnerabilities affecting EPM 2024 SU4 SR1 and earlier: CVE-2026-1603 (CVSS 8.6) and CVE-2026-1602 (CVSS 6.5). CVE-2026-1603 is an authentication bypass that can be exploited by a remote, unauthenticated attacker to access/leak specific stored credential data, creating a high-risk path to credential exposure and follow-on compromise in environments where EPM operates with elevated privileges across endpoints.
CVE-2026-1602 is a SQL injection issue that requires authentication and can allow a remote authenticated attacker to read arbitrary data from the EPM database, driving confidentiality risk (data leakage) rather than integrity/availability impact. The fixed release is EPM 2024 SU5, and the update also addresses 11 medium-severity vulnerabilities previously disclosed in October 2025; organizations running affected versions were advised to patch immediately due to the platform’s central role in enterprise endpoint administration.
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Critical Remote Code Execution Vulnerability in Ivanti Endpoint Manager (CVE-2025-10573)
Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) software, which allows unauthenticated remote attackers to execute arbitrary JavaScript code via a stored cross-site scripting (XSS) attack. The flaw enables attackers to register fake managed endpoints to the EPM server, thereby injecting malicious JavaScript into the administrator web dashboard. When an administrator interacts with the compromised dashboard, the attacker can hijack the session and potentially gain full control over the EPM environment. Ivanti has released a patch (EPM 2024 SU4 SR1) to address this issue and strongly urges customers to update, especially since hundreds of EPM instances are exposed to the internet, increasing the risk of exploitation. The vulnerability, assigned a CVSS score of 9.6, affects EPM versions 2024 SU4 and below. Security researchers at Rapid7, who discovered and reported the flaw, emphasize the urgency of patching due to the unauthenticated nature of the attack vector. Ivanti EPM is widely used for endpoint management, remote administration, and compliance, making it a high-value target for attackers. In addition to CVE-2025-10573, Ivanti has also released fixes for three other high-severity vulnerabilities in the same update cycle. Security teams are advised to apply the latest patches immediately and review the exposure of EPM instances to the internet to mitigate the risk of compromise.
3 months ago
CISA Flags Actively Exploited Ivanti Endpoint Manager Authentication Bypass (CVE-2026-1603)
**CISA added Ivanti Endpoint Manager (EPM) vulnerability `CVE-2026-1603` to the Known Exploited Vulnerabilities (KEV) catalog**, warning it is being actively exploited and directing U.S. federal agencies to remediate within mandated timelines. The flaw is described as an **authentication bypass** (CWE-288) that allows **remote, unauthenticated** attackers to access and **steal sensitive stored credential data**, creating elevated risk because EPM is commonly used as a central platform for managing large endpoint fleets. Ivanti addressed `CVE-2026-1603` in **Ivanti EPM 2024 SU5**; reporting indicates the same release also fixed an **SQL injection** issue that could allow authenticated attackers to read arbitrary database data. Public reporting notes CISA did not provide detailed exploitation telemetry, and Ivanti stated it was not aware of customer exploitation prior to public disclosure; external monitoring cited **700+ internet-facing EPM instances** observed by Shadowserver, underscoring potential exposure where systems remain unpatched.
1 weeks agoMultiple High-Severity Vulnerabilities in Ivanti Endpoint Manager Including Remote Code Execution and SQL Injection
Ivanti Endpoint Manager has been found to contain a total of 13 security vulnerabilities, including high-severity remote code execution (RCE) and 11 SQL injection flaws. Security researchers disclosed that these vulnerabilities could allow attackers to compromise systems managed by Ivanti Endpoint Manager, a widely used enterprise IT management solution. Among the most critical issues is CVE-2025-9713, which enables remote, unauthenticated attackers to achieve code execution through a path traversal flaw, provided user interaction occurs. The CVSS score for this vulnerability is 8.8, indicating a high risk to organizations using affected versions. The vulnerabilities were publicly disclosed in mid-October 2025, prompting urgent attention from security teams. The SQL injection vulnerabilities could allow attackers to manipulate backend databases, potentially leading to data exfiltration or further compromise of the management infrastructure. The RCE flaw, in particular, poses a significant threat as it could be exploited remotely, increasing the attack surface for threat actors. Ivanti has not yet published a comprehensive list of affected product versions, but the risk profile suggests that a broad range of deployments may be impacted. Security advisories recommend immediate review of Ivanti Endpoint Manager deployments and the application of any available patches or mitigations. Organizations are urged to monitor for signs of exploitation and to implement network segmentation to limit potential lateral movement. The vulnerabilities highlight the ongoing risks associated with enterprise management platforms, which often have elevated privileges across corporate environments. No reports of active exploitation have been confirmed at the time of disclosure, but the technical details suggest that exploitation would be feasible for skilled attackers. The disclosure underscores the importance of timely vulnerability management and the need for robust monitoring of critical IT infrastructure. Security teams should prioritize patching and consider additional controls such as application whitelisting and enhanced logging. The incident serves as a reminder of the potential impact of vulnerabilities in widely deployed enterprise software. Given the severity and nature of the flaws, organizations should treat this as a high-priority security event. The situation remains dynamic as further technical details and remediation guidance are expected from Ivanti and the security community.
5 months ago