CVE-2026-1603
published 2026-02-10CVE-2026-1603: An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-23
Exploited in the wild
EPSS
81.09%
99.6th percentile
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager | < 2024 | 2024 |
| ivanti | endpoint_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-1603 is an authentication bypass in Ivanti EPM exploitable by remote unauthenticated attackers with no user interaction required; monitor for unauthenticated requests to Ivanti EPM endpoints that return or expose credential data ↗
- →CVE-2026-1603 is listed in CISA KEV as actively exploited; treat any unpatched Ivanti EPM instance (pre-2024 SU5) as compromised until verified otherwise ↗
- ·Ivanti stated no customer exploitation was observed prior to public disclosure; active exploitation was flagged by CISA but Ivanti had not independently confirmed it at time of reporting ↗
- ·No technical details, exploit code, specific URLs, hashes, or network indicators for CVE-2026-1603 exploitation were published in the available sources; detection must rely on behavioral and version-based signals ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa5.3MEDIUM
vulncheck8.6HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
ghsa·2026-06-16·CVSS 5.3
CVE-2026-25714 [MEDIUM] CWE-862 Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
## Summary
Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data.
## Issue 1: /user/orgs missing checkTokenPublicOnly()
`routers/api/v1/api.go` line 1599:
```go
m.Get("/user/orgs", reqToken(), tokenRequiresScopes(
auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization,
), org.ListMyOrgs)
// Missing checkTokenPublicOnly()
```
Adjacent route at line 1603 has it:
```go
m.Group("/users/{username}/orgs", func() { ... },
..., checkTokenPublicOnly())
```
## Issue 2: checkTokenPublicOnly switch-case evaluates only first matching category
GHSA
GHSA-2j3g-j6qj-x9q2: An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credentia
ghsa_unreviewed·2026-02-10
CVE-2026-1603 [HIGH] CWE-288 GHSA-2j3g-j6qj-x9q2: An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credentia
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
VulnCheck
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
vulncheck·2026·CVSS 8.6
CVE-2026-1603 [HIGH] CWE-288 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.
Affected: Ivanti Endpoint Manager (EPM)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-02-17&host_type=src&vulnerability=cve-2026-1603; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-02-24&host_type=src&vulnerability=cve-2026-1603; https://dashb
CISA
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
cisa·2026-03-09·CVSS 7.5
CVE-2026-1603 [HIGH] CWE-288 Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
Vulnerability: Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
Affected: Ivanti Endpoint Manager (EPM)
Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2026-1603
Remediation Due Date: 2026-03-23
Ivanti
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
vendor_ivanti·2026-03-09·CVSS 8.6
CVE-2026-1603 [HIGH] Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.
CVE IDs: CVE-2026-1603
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2026-03-23
Suricata
ET WEB_SPECIFIC_APPS Ivanti RemoteControlAuth logintype Parameter Authentication Bypass Attempt (CVE-2026-1603)
suricata·2026-02-13·CVSS 8.6
CVE-2026-1603 [HIGH] ET WEB_SPECIFIC_APPS Ivanti RemoteControlAuth logintype Parameter Authentication Bypass Attempt (CVE-2026-1603)
ET WEB_SPECIFIC_APPS Ivanti RemoteControlAuth logintype Parameter Authentication Bypass Attempt (CVE-2026-1603)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti RemoteControlAuth logintype Parameter Authentication Bypass Attempt (CVE-2026-1603)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/RemoteControlAuth/api/Auth"; fast_pattern; http.request_body; content:"|22|logintype|22|"; content:"|22|64|22|"; within:10; reference:url,infosec.exchange/@watchTowr/116063760636955104; reference:cve,2026-1603; classtype:attempted-admin; sid:2067665; rev:1; metadata:affected_product Ivanti, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_02_13, cve CVE_2026_1603, deployment Perimeter, deployment Internal, perf
Nuclei
Ivanti Endpoint Manager - Authentication Bypass
nuclei·CVSS 7.5
CVE-2026-1603 [HIGH] Ivanti Endpoint Manager - Authentication Bypass
Ivanti Endpoint Manager - Authentication Bypass
Ivanti Endpoint Manager < 2024 SU5 contains an authentication bypass caused by improper access control, letting remote unauthenticated attackers leak stored credential data, exploit requires no special privileges.
Template:
id: CVE-2026-1603
info:
name: Ivanti Endpoint Manager - Authentication Bypass
author: DhiyaneshDk,watchtowrlabs
severity: high
description: |
Ivanti Endpoint Manager < 2024 SU5 contains an authentication bypass caused by improper access control, letting remote unauthenticated attackers leak stored credential data, exploit requires no special privileges.
impact: |
Remote attackers can leak stored credential data, potentially compromising sensitive information.
remediation: |
Update to version 2024 SU5 or later.
referenc
Bleepingcomputer
CISA: Recently patched Ivanti EPM flaw now actively exploited
blogs_bleepingcomputer·2026-03-10·CVSS 8.6
CVE-2026-1603 [HIGH] CISA: Recently patched Ivanti EPM flaw now actively exploited
## CISA: Recently patched Ivanti EPM flaw now actively exploited
## Sergiu Gatlan
CISA flagged a high-severity Ivanti Endpoint Manager (EPM) vulnerability as actively exploited in attacks and ordered U.S. federal agencies to patch systems within three weeks.
Ivanti's EPM software is an all-in-one endpoint management solution for managing client devices across Windows, macOS, Linux, Chrome OS, and IoT platforms.
Tracked as CVE-2026-1603 , this security flaw can be exploited by remote threat actors without privileges to bypass authentication and steal credential data in low-complexity cross-site scripting attacks that require no user interaction.
Ivanti patched the vulnerability one month ago , when it released Ivanti EPM 2024 SU5, which also addresses an SQL injection flaw that allows
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Wiz
CVE-2025-13659 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-13659 [HIGH] CVE-2025-13659 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13659 :
Ivanti Endpoint Manager vulnerability analysis and mitigation
Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
Ivanti Endpoint Manager
Ivanti Endpoint Manager Windows Agent
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 77.4
Exploitation Probability (EPSS) 1
Affected packages and libraries
cpe:2.3:a:ivanti:endpoint_manager
Sources
Linux Seve
Wiz
CVE-2025-10573 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2025-10573 [CRITICAL] CVE-2025-10573 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10573 :
Ivanti Endpoint Manager vulnerability analysis and mitigation
Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
Source : NVD
## 6.1
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 9.6
Affected Technologies
Ivanti Endpoint Manager
Ivanti Endpoint Manager Windows Agent
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:ivanti:endpoint_manager
Sources
Linux Severity MEDIUM No Fix Added at: Dec 12, 2025
Windows
Wiz
CVE-2025-13661 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-13661 [HIGH] CVE-2025-13661 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13661 :
Ivanti Endpoint Manager vulnerability analysis and mitigation
Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required.
Source : NVD
## 8
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
Ivanti Endpoint Manager
Ivanti Endpoint Manager Windows Agent
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 83.7
Exploitation Probability (EPSS) 2
Affected packages and libraries
cpe:2.3:a:ivanti:endpoint_manager
Sources
Linux Severity HIGH No Fix Added at: Dec 12, 2025
Windows Severity HIGH No Fix A
Wiz
CVE-2026-1602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-1602 [HIGH] CVE-2026-1602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1602 :
Ivanti Endpoint Manager vulnerability analysis and mitigation
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.
Source : NVD
## 6.5
Score
Published February 10, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Ivanti Endpoint Manager
Ivanti Endpoint Manager Windows Agent
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:ivanti:endpoint_manager
Sources
Linux Severity MEDIUM No Fix Added at: Feb 15, 2026
Windows Severity MEDIUM No Fix Added at: Feb 15, 2026
Linux Severity MEDIUM
Wiz
CVE-2025-13662 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-13662 [HIGH] CVE-2025-13662 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13662 :
Ivanti Endpoint Manager vulnerability analysis and mitigation
Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.
Source : NVD
## 7.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.8
Affected Technologies
Ivanti Endpoint Manager
Ivanti Endpoint Manager Windows Agent
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:ivanti:endpoint_manager
Sources
Linux Severity HIGH No Fix Added at: Dec
Wiz
CVE-2026-1603 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-1603 [HIGH] CVE-2026-1603 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1603 :
Ivanti Endpoint Manager vulnerability analysis and mitigation
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Source : NVD
## 7.5
Score
Published February 10, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Ivanti Endpoint Manager
Ivanti Endpoint Manager Windows Agent
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.3
Exploitation Probability (EPSS) 60.9
Affected packages and libraries
cpe:2.3:a:ivanti:endpoint_manager
Sources
Linux Severity HIGH No Fix Added at: Feb 15, 2026
Windows Severity HIGH No Fix Added at: Feb 15, 2026
Linux Severit
2026-02-10
Published
2026-03-09
Added to CISA KEV
Exploited in the wild