6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-1603 is a high-severity authentication bypass vulnerability in Ivanti Endpoint Manager caused by improper enforcement of authentication checks on alternate access paths. A remote unauthenticated attacker can exploit the flaw to access protected resources and potentially retrieve stored credential data from the Endpoint Manager system. The vulnerability is confirmed to be exploited in the wild according to CISA reporting, increasing the risk to unpatched environments.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authentication Bypass Vulnerability in Ivanti Endpoint Manager
CVSS Score: 7.5 (High, CVSS v3.1)
Identifier: CVE-2026-1603
PoC or Exploitation:
Based on a CISA report, this is a vulnerability exploited in the wild.
Update/ Patch:
Ivanti has released a security update addressing this vulnerability in Ivanti Endpoint Manager 2024 SU5.
Affected versions include:
-
Ivanti Endpoint Manager versions earlier than 2024
-
Ivanti Endpoint Manager 2024 base release
-
Ivanti Endpoint Manager 2024 SU1Ivanti Endpoint Manager 2024 SU2
-
Ivanti Endpoint Manager 2024 SU3 and SU3 Security Release 1
-
Ivanti Endpoint Manager 2024 SU4 and SU4 SR1
Fixed version:
Ivanti Endpoint Manager 2024 SU5 and later
Ivanti advisory and patch guidance:
https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024
Description:
CVE-2026-1603 is an authentication bypass vulnerability affecting Ivanti Endpoint Manager. The vulnerability occurs due to improper authentication controls that allow access through an alternate path that does not properly enforce authentication checks.
A remote unauthenticated attacker can exploit this flaw to access protected resources and leak stored credential data from the Endpoint Manager system.
Mitigation Recommendation:
Immediately upgrade Ivanti Endpoint Manager to version 2024 SU5 or later.
Restrict access to the Ivanti Endpoint Manager server and management interfaces to trusted administrative networks only.
Rotate credentials stored or managed by Ivanti Endpoint Manager as a precautionary measure.
Review Endpoint Manager logs for suspicious access patterns, especially requests to administrative endpoints without corresponding authentication events.
