CISA Flags Actively Exploited Ivanti Endpoint Manager Authentication Bypass (CVE-2026-1603)
CISA added Ivanti Endpoint Manager (EPM) vulnerability CVE-2026-1603 to the Known Exploited Vulnerabilities (KEV) catalog, warning it is being actively exploited and directing U.S. federal agencies to remediate within mandated timelines. The flaw is described as an authentication bypass (CWE-288) that allows remote, unauthenticated attackers to access and steal sensitive stored credential data, creating elevated risk because EPM is commonly used as a central platform for managing large endpoint fleets.
Ivanti addressed CVE-2026-1603 in Ivanti EPM 2024 SU5; reporting indicates the same release also fixed an SQL injection issue that could allow authenticated attackers to read arbitrary database data. Public reporting notes CISA did not provide detailed exploitation telemetry, and Ivanti stated it was not aware of customer exploitation prior to public disclosure; external monitoring cited 700+ internet-facing EPM instances observed by Shadowserver, underscoring potential exposure where systems remain unpatched.
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Ivanti Endpoint Manager Authentication Bypass and SQL Injection Vulnerabilities
Ivanti released security updates for *Endpoint Manager (EPM)* to fix two vulnerabilities affecting **EPM 2024 SU4 SR1 and earlier**: **CVE-2026-1603** (CVSS 8.6) and **CVE-2026-1602** (CVSS 6.5). CVE-2026-1603 is an **authentication bypass** that can be exploited by a **remote, unauthenticated** attacker to access/leak specific **stored credential data**, creating a high-risk path to credential exposure and follow-on compromise in environments where EPM operates with elevated privileges across endpoints. CVE-2026-1602 is a **SQL injection** issue that requires **authentication** and can allow a remote authenticated attacker to **read arbitrary data from the EPM database**, driving confidentiality risk (data leakage) rather than integrity/availability impact. The fixed release is **EPM 2024 SU5**, and the update also addresses **11 medium-severity vulnerabilities** previously disclosed in October 2025; organizations running affected versions were advised to patch immediately due to the platform’s central role in enterprise endpoint administration.
1 months agoCritical Remote Code Execution Vulnerability in Ivanti Endpoint Manager (CVE-2025-10573)
Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) software, which allows unauthenticated remote attackers to execute arbitrary JavaScript code via a stored cross-site scripting (XSS) attack. The flaw enables attackers to register fake managed endpoints to the EPM server, thereby injecting malicious JavaScript into the administrator web dashboard. When an administrator interacts with the compromised dashboard, the attacker can hijack the session and potentially gain full control over the EPM environment. Ivanti has released a patch (EPM 2024 SU4 SR1) to address this issue and strongly urges customers to update, especially since hundreds of EPM instances are exposed to the internet, increasing the risk of exploitation. The vulnerability, assigned a CVSS score of 9.6, affects EPM versions 2024 SU4 and below. Security researchers at Rapid7, who discovered and reported the flaw, emphasize the urgency of patching due to the unauthenticated nature of the attack vector. Ivanti EPM is widely used for endpoint management, remote administration, and compliance, making it a high-value target for attackers. In addition to CVE-2025-10573, Ivanti has also released fixes for three other high-severity vulnerabilities in the same update cycle. Security teams are advised to apply the latest patches immediately and review the exposure of EPM instances to the internet to mitigate the risk of compromise.
3 months ago
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
1 months ago