HighCISA KEVExploited in the wildPublic exploit

Authentication Bypass in Ivanti Endpoint Manager

IdentifiersCVE-2026-1603CWE-288· Authentication Bypass Using an…

CVE-2026-1603 is a high-severity authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) affecting versions prior to 2024 SU5, including 2024 SU4 SR1 and earlier per the provided advisory context. The flaw is described as an authentication bypass using an alternate path or channel and, more specifically, as stemming from an alternative weak authentication path in the AuthHelper class. A remote attacker can exploit the issue over the network without authentication, privileges, or user interaction. Successful exploitation allows access to specific stored credential data, resulting in confidentiality impact without indicated integrity or availability impact. The provided CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (8.6).

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to bypass EPM authentication controls and disclose specific stored credential data. This creates a high confidentiality impact and may expose credentials usable for follow-on access to managed systems, enterprise services, or administrative workflows, depending on what credentials are stored in the affected deployment. The supplied context does not indicate direct integrity or availability impact from this CVE itself.

Mitigation

If you can’t patch tonight, do this now.

No complete vendor workaround is provided in the supplied content aside from upgrading. Until remediation can be applied, reduce exposure by restricting network access to the EPM interface to trusted administrative networks only, such as via VPN, segmentation, firewall allowlisting, and removal of unnecessary internet exposure. Increase monitoring for suspicious unauthenticated access attempts and investigate for signs of credential access or misuse. These are interim risk-reduction measures only and should not be treated as a substitute for upgrading to 2024 SU5.

Remediation

Patch, then assume compromise.

Upgrade Ivanti Endpoint Manager to version 2024 SU5 or later. The provided Ivanti advisory states the issue is resolved in EPM 2024 SU5, available through the Ivanti License System. Organizations should prioritize testing and deployment of SU5, then audit EPM access and credential exposure to determine whether unauthorized access occurred before patching, because patching prevents future exploitation but does not remediate prior compromise.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

IvantiEndpoint Managerapplication

IvantiEndpoint Manager (Epm)application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

70 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

70 SOURCESView more in app

security affairsNews

Jun 11, 2026

CVE-2026-10520 Exploited: Ivanti Sentry Gateways Compromised Shortly After Patch Release

An Ivanti Endpoint Manager vulnerability referenced as actively exploited and included in CISA's KEV catalog; the content states it enables attackers to bypass authentication or execute remote code and access sensitive enterprise systems.

scworldNews

Mar 11, 2026

Remediation deadlines for SolarWinds, Ivanti bugs expedited by CISA | brief | SC Media

A vulnerability in Ivanti Endpoint Manager (EPM) that has been weaponized by threat actors since mid-February, prompting CISA to shorten remediation timelines.

cso onlineNews

Mar 11, 2026

CISA warns of actively exploited Ivanti EPM and Cisco SD-WAN flaws | CSO Online

Unknown (mentioned as added to CISA KEV; no additional technical details provided in the content).

security affairsNews

Mar 10, 2026

U.S. CISA adds Ivanti EPM, SolarWinds, and Omnissa Workspace One flaws to its Known Exploited Vulnerabilities catalog

An authentication bypass in Ivanti Endpoint Manager (before 2024 SU5) that can be exploited remotely without credentials to leak stored credential data / sensitive login information.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures3

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity54

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-1603

NVD

nvd.nist.gov/vuln/detail/CVE-2026-1603

MITRE CWE · CWE-288

Authentication Bypass Using an Alternate Path…

Vendor Advisory

hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603