CVE-2026-1603
Ivanti Endpoint Manager (EPM) | Authentication Bypass Vulnerability
CVE-2026-1603 is an authentication bypass vulnerability affecting Ivanti Endpoint Manager (EPM) prior to version 2024 SU5. The vulnerability allows a remote attacker to access stored credential data without proper authentication. Ivanti assigns a CVSS v3 score of 8.6, while NVD lists a score of 7.5.
Successful exploitation could allow an attacker to retrieve sensitive credential information and perform unauthorized actions within the EPM environment. Because Ivanti EPM often operates with elevated privileges across managed endpoints, credential exposure can introduce downstream risk including lateral movement and broader system compromise.
Stop Guessing, Start Proving
Attack characteristics:
- Attack vector: Network
- Authentication required: None
- User interaction: None
- Impact: Authentication bypass leading to credential exposure
- CVSS v3 score: 8.6 (Ivanti) / 7.5 (NVD)
- Exploitation status: No public confirmation of active exploitation at time of publication
While this is not a remote code execution vulnerability, authentication bypass affecting credential material should be treated as high risk due to the potential for follow-on access.
NodeZero® Offensive Security Platform — Rapid Response
To safely verify whether CVE-2026-1603 affects your Ivanti Endpoint Manager deployment, Horizon3.ai customers can leverage the newly released Rapid Response test to confirm exploitability and validate remediation after patching.
- Run the Rapid Response test — Launch the Ivanti EPM CVE-2026-1603 Rapid Response test from the customer portal to assess both internet-facing and internal EPM instances for authentication bypass exposure.
- Apply mitigation immediately — Update Ivanti Endpoint Manager to version 2024 SU5 as outlined in the Ivanti Security Advisory. Customers running versions prior to 2024 SU5 are considered affected.
- Re-run the Rapid Response test — Confirm that authentication bypass is no longer possible and validate that remediation has successfully removed exposure.
Rapid Response enables security teams to focus on vulnerabilities attackers are most likely to weaponize, allowing prioritized action based on validated exposure.
Indicators of Compromise
Ivanti has not published specific IOCs tied to active exploitation for this vulnerability. Organizations should review:
- Unusual or unauthenticated access attempts against Ivanti EPM services
- Unexpected access to stored credential data
- Anomalous administrative actions within the EPM console
- Suspicious outbound connections originating from the EPM server
As with any authentication bypass issue, organizations should assume potential credential exposure if systems were internet-accessible and unpatched.
Affected Versions
- Ivanti Endpoint Manager (EPM) versions prior to 2024 SU5
Fixed Versions / Mitigation
- Mitigation: Upgrade to Ivanti Endpoint Manager 2024 SU5 as outlined in the Ivanti Security Advisory.
