CISA Flags Actively Exploited Ivanti Endpoint Manager Authentication Bypass (CVE-2026-1603)
CISA added Ivanti Endpoint Manager (EPM) vulnerability CVE-2026-1603 to the Known Exploited Vulnerabilities (KEV) catalog, warning it is being actively exploited and directing U.S. federal agencies to remediate within mandated timelines. The flaw is described as an authentication bypass (CWE-288) that allows remote, unauthenticated attackers to access and steal sensitive stored credential data, creating elevated risk because EPM is commonly used as a central platform for managing large endpoint fleets.
Ivanti addressed CVE-2026-1603 in Ivanti EPM 2024 SU5; reporting indicates the same release also fixed an SQL injection issue that could allow authenticated attackers to read arbitrary database data. Public reporting notes CISA did not provide detailed exploitation telemetry, and Ivanti stated it was not aware of customer exploitation prior to public disclosure; external monitoring cited 700+ internet-facing EPM instances observed by Shadowserver, underscoring potential exposure where systems remain unpatched.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Ivanti says it was unaware of exploitation before disclosure
Ivanti stated it was not aware of customer exploitation of CVE-2026-1603 prior to the public disclosure and said the issues were reported through its responsible disclosure program. The statement accompanied public reporting on CISA's KEV listing and active exploitation warning.
Ivanti patches EPM flaws in 2024 SU5
Ivanti released Endpoint Manager 2024 SU5 to fix CVE-2026-1603, an authentication-bypass flaw, and CVE-2026-1602, an SQL injection issue. The update addressed affected EPM versions prior to 2024 SU5.
CISA orders federal agencies to patch by March 23
Under Binding Operational Directive 22-01, CISA required U.S. Federal Civilian Executive Branch agencies to remediate CVE-2026-1603 within three weeks, setting a deadline of 2026-03-23. Guidance also urged organizations to upgrade to EPM 2024 SU5 or apply mitigations such as restricting access to ports 80 and 443.
CISA adds CVE-2026-1603 to KEV catalog
On 2026-03-09, CISA added Ivanti Endpoint Manager vulnerability CVE-2026-1603 to its Known Exploited Vulnerabilities catalog after determining it was being actively exploited in the wild. The flaw allows remote unauthenticated access to the EPM Credential Vault and theft of stored credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti Endpoint Manager Authentication Bypass and SQL Injection Vulnerabilities
Ivanti released security updates for *Endpoint Manager (EPM)* to fix two vulnerabilities affecting **EPM 2024 SU4 SR1 and earlier**: **CVE-2026-1603** (CVSS 8.6) and **CVE-2026-1602** (CVSS 6.5). CVE-2026-1603 is an **authentication bypass** that can be exploited by a **remote, unauthenticated** attacker to access/leak specific **stored credential data**, creating a high-risk path to credential exposure and follow-on compromise in environments where EPM operates with elevated privileges across endpoints. CVE-2026-1602 is a **SQL injection** issue that requires **authentication** and can allow a remote authenticated attacker to **read arbitrary data from the EPM database**, driving confidentiality risk (data leakage) rather than integrity/availability impact. The fixed release is **EPM 2024 SU5**, and the update also addresses **11 medium-severity vulnerabilities** previously disclosed in October 2025; organizations running affected versions were advised to patch immediately due to the platform’s central role in enterprise endpoint administration.
Mar 21, 2026
Critical Remote Code Execution Vulnerability in Ivanti Endpoint Manager (CVE-2025-10573)
Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) software, which allows unauthenticated remote attackers to execute arbitrary JavaScript code via a stored cross-site scripting (XSS) attack. The flaw enables attackers to register fake managed endpoints to the EPM server, thereby injecting malicious JavaScript into the administrator web dashboard. When an administrator interacts with the compromised dashboard, the attacker can hijack the session and potentially gain full control over the EPM environment. Ivanti has released a patch (EPM 2024 SU4 SR1) to address this issue and strongly urges customers to update, especially since hundreds of EPM instances are exposed to the internet, increasing the risk of exploitation. The vulnerability, assigned a CVSS score of 9.6, affects EPM versions 2024 SU4 and below. Security researchers at Rapid7, who discovered and reported the flaw, emphasize the urgency of patching due to the unauthenticated nature of the attack vector. Ivanti EPM is widely used for endpoint management, remote administration, and compliance, making it a high-value target for attackers. In addition to CVE-2025-10573, Ivanti has also released fixes for three other high-severity vulnerabilities in the same update cycle. Security teams are advised to apply the latest patches immediately and review the exposure of EPM instances to the internet to mitigate the risk of compromise.
Mar 21, 2026
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
Mar 21, 2026