Key Takeaway
CVE-2026-1603 is an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) that allows remote, unauthenticated attackers to access stored credential data including domain accounts, API keys, and service account passwords. Exploitation enables lateral movement and privilege escalation across all endpoints managed by the affected EPM instance. CISA has mandated federal agency remediation by March 23, 2026, and all organizations running Ivanti EPM should apply patches immediately and rotate affected credentials.
CVE-2026-1603: Ivanti EPM Authentication Bypass Exposes Stored Credentials to Unauthenticated Attackers
CVE ID: CVE-2026-1603 Vendor: Ivanti Product: Endpoint Manager (EPM) Attack Vector: Network (Remote, Unauthenticated) Vulnerability Class: Authentication Bypass via Alternate Path or Channel (CWE-288) CISA KEV Deadline: March 23, 2026 (Federal Agencies)
Vulnerability Overview
Ivanti Endpoint Manager (EPM) contains an authentication bypass vulnerability classified under CWE-288 — Authentication Bypass Using an Alternate Path or Channel. A remote, unauthenticated attacker can exploit an alternate code path or channel within EPM to bypass standard authentication controls and access credential data stored on the platform without supplying valid credentials.
The flaw requires no prior access, no user interaction, and no foothold on the network beyond reachability to the EPM administrative interface. This places it among the most operationally dangerous vulnerability classes: unauthenticated remote access to credential stores.
Technical Analysis
Authentication bypass via alternate path flaws occur when an application exposes a secondary route to functionality that does not enforce the same authentication checks as the primary interface. In EPM's case, an attacker can reach credential storage mechanisms through this unprotected path, extracting data without triggering standard login enforcement.
Ivanti EPM functions as a centralized endpoint management platform, meaning it routinely stores and manages sensitive material across a managed environment. This commonly includes domain service account credentials, API keys, device management tokens, and administrative account passwords used to push configurations and software across thousands of endpoints. The credential store accessible through this bypass likely contains high-value material directly usable for lateral movement.
Because EPM operates with broad authority across managed endpoints, credential theft from the platform does not stop at EPM itself. Extracted accounts can be replayed against Active Directory, cloud management APIs, VPN infrastructure, and other enterprise systems, depending on what EPM has stored or interacted with in the target environment.
Real-World Impact
Organizations running Ivanti EPM face direct credential exposure if this vulnerability is reachable from an untrusted network segment. An attacker who extracts domain or service account credentials from EPM gains a pivot point into broader enterprise infrastructure without needing to compromise a single endpoint through conventional means.
Ivanti products have been a persistent target for exploitation. CVE-2025-0282 and CVE-2024-21887 in Ivanti Connect Secure and Policy Secure were exploited in the wild by state-sponsored actors before patches were widely deployed. While no threat actor exploitation of CVE-2026-1603 has been confirmed in published reporting at this time, the vulnerability class and product history make it a high-priority target for opportunistic and sophisticated attackers alike.
The CISA Known Exploited Vulnerabilities (KEV) catalog binding operational directive mandates that all U.S. federal civilian executive branch (FCEB) agencies remediate CVE-2026-1603 by March 23, 2026. This directive reflects CISA's assessment that the vulnerability poses meaningful risk to federal networks.
Affected Versions
Ivanti has not publicly specified the exact EPM version range affected at the time of this advisory. Organizations should consult Ivanti's official security advisory portal and apply all available EPM patches immediately upon release. Assume all EPM deployments are affected until Ivanti provides version-specific confirmation.
Patching and Mitigation Guidance
Immediate Actions:
-
Inventory all Ivanti EPM deployments across on-premises and cloud-connected environments. Include subsidiary networks and managed service provider (MSP) instances.
-
Apply Ivanti's official patch as soon as it is released. Monitor Ivanti's security advisories at https://www.ivanti.com/blog/security-advisories for patch availability. Do not wait for a scheduled maintenance window given the unauthenticated remote nature of this flaw.
-
Restrict network access to EPM administrative interfaces immediately if patching is delayed. Implement firewall rules and network segmentation to ensure only authorized management hosts can reach EPM on relevant ports. EPM administrative interfaces should never be exposed to the public internet.
-
Rotate credentials for all accounts stored, managed, or interacted with by affected EPM instances. Prioritize domain service accounts, API keys, and any accounts with administrative privileges across endpoints. Treat all credentials accessible to EPM as potentially compromised until rotation is complete.
-
Audit EPM logs for unauthenticated access attempts, anomalous requests to credential-related endpoints, and any activity indicative of exploitation. Establish a log review baseline that predates the public CVE disclosure to identify potential pre-patch exploitation.
-
Review downstream systems for signs of unauthorized access using credentials that EPM managed. Cross-reference EPM-stored accounts against authentication logs in Active Directory, cloud platforms, and VPN infrastructure.
Detection Guidance:
SOC teams should write detection rules targeting unauthenticated HTTP/HTTPS requests to EPM endpoints associated with credential retrieval or configuration export functions. Correlate EPM access logs with authentication events in downstream systems for accounts managed by EPM. Alert on any successful responses to EPM administrative paths from source IPs not included in approved management subnets.
Longer-Term Controls:
Enforce zero-trust network access (ZTNA) principles for all endpoint management platforms. Endpoint management infrastructure should sit behind strict access controls with multi-factor authentication enforced at every entry point. Credential vaulting solutions with ephemeral credential issuance reduce the blast radius when credential stores in management platforms are compromised.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.