CVE-2026-1603

HighCISA KEVActive Exploitation

Published: 10 February 2026

Published

10 February 2026

Modified

10 March 2026

KEV Added

09 March 2026

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.5587 98.1th percentile

Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Description

An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws, directly mitigating the authentication bypass by applying the vendor patch to Ivanti Endpoint Manager 2024 SU5 or later.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Defines and authorizes only specific actions without identification or authentication, preventing exposure of critical credential data via alternate unauthenticated paths as in CWE-288 and CWE-306.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, directly countering the authentication bypass that allowed unauthorized leakage of stored credentials.

Security SummaryAI

CVE-2026-1603 is an authentication bypass vulnerability affecting Ivanti Endpoint Manager versions prior to 2024 SU5. It enables a remote unauthenticated attacker to leak specific stored credential data, stemming from issues classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-306 (Missing Authentication for Critical Function). The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges, and significant confidentiality impact across a changed scope.

A remote unauthenticated attacker can exploit this vulnerability over the network without user interaction by targeting the affected Endpoint Manager instance. Successful exploitation allows the attacker to access and leak specific stored credential data, potentially enabling further compromise such as lateral movement or privilege escalation within the environment, though it does not directly provide integrity or availability impacts.

Ivanti has published Security Advisory EPM-February-2026 detailing patches for Endpoint Manager 2024, recommending upgrade to version 2024 SU5 or later to mitigate the issue. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog, urging federal agencies to apply mitigations immediately due to active exploitation.

This CVE has seen real-world exploitation, as evidenced by its inclusion in the CISA KEV catalog shortly after publication on 2026-02-10.

Details

CWE(s): CWE-288 CWE-306
KEV Date Added: 09 March 2026

Affected Products

ivanti

endpoint manager

2024 · ≤ 2024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

Why these techniques?

CVE-2026-1603 is a remote unauthenticated authentication bypass in a public-facing application (Ivanti Endpoint Manager) that directly enables exploitation for initial access (T1190) and leaks stored credentials via exploitation (T1212).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0