Ivanti Endpoint Manager, Authentication Bypass, CVE-2026-1603 (HIGH)

Listen to this Post

CVE-2026-1603 is an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) before version 2024 SU5 . The vulnerability, classified under CWE-288, allows a remote unauthenticated attacker to bypass authentication mechanisms and leak specific stored credential data . This flaw resides in the core authentication handling, where the software fails to properly verify user identity, allowing an attacker to directly request and retrieve sensitive credential information without any valid login . The attack can be carried out over the network without requiring any user interaction or special privileges, making it easily exploitable . With a CVSS score of 8.6, the vulnerability has a high impact on data confidentiality, although it does not affect system integrity or availability . The issue was discovered by security researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 and reported through Trend Micro’s Zero Day Initiative . Ivanti addressed the vulnerability in the EPM 2024 SU5 update, and no active exploitation was observed prior to its public disclosure .

dailycve form:

Platform: Ivanti EPM
Version: before 2024 SU5
Vulnerability : authentication bypass
Severity: HIGH
date: February 2026

Prediction: Patch already released

What Undercode Say:

Analytics:

The vulnerability exists in versions prior to EPM 2024 SU5 . Organizations running Ivanti EPM 2024 SU4 SR1 and earlier are at risk . The flaw requires no authentication and no user interaction, with a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N . Administrators can verify their current version using the EPM console or by checking the version information in the installed programs list.

How Exploit:

A remote attacker would send a specially crafted request to an unauthenticated endpoint to trigger the bypass and leak credential data . While public exploit code is not detailed in the search results, the following demonstrates how an attacker might check for a vulnerable system:

Check if target is running a vulnerable version (example only)
This is a conceptual check, not an exploit.
VULN_VERSION="2024 SU4 SR1"
TARGET_IP="192.168.1.100"
Attempt to access a sensitive endpoint without authentication
curl -k -X GET "https://${TARGET_IP}/some/sensitive/endpoint" -H "Host: ${TARGET_IP}"

Protection from this CVE:

The primary mitigation is to update to Ivanti Endpoint Manager version 2024 SU5 or later, available through the Ivanti License System (ILS) . Administrators should also conduct a security audit to check for any unauthorized access prior to patching . As a best practice, restrict network access to the EPM server to only trusted administrative hosts and networks. Monitor logs for any suspicious, unauthenticated requests attempting to access credential stores.

Impact:

Successful exploitation allows a remote, unauthenticated attacker to leak specific stored credential data . This breach of confidentiality could provide an attacker with valid credentials to further compromise the EPM server or other connected systems and endpoints managed by it . The vulnerability does not impact system integrity or availability, but the credential leak poses a significant risk for lateral movement and privilege escalation within the organization .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top