CISA Warns of Active Exploitation in Ivanti Endpoint Manager Authentication Bypass
Take action: If you use Ivanti Endpoint Manager, now patching is urgent. Update to 2024 SU5 immediately because attackers are already using this flaw to take over management servers.
Learn More
CISA reports active exploitation of a high-severity flaw in Ivanti Endpoint Manager (EPM) that allows attackers to skip security checks. CISA confirmed that threat actors have used the flaw in real-world attacks since mid-February 2026.
The exploited flaw is CVE-2026-1603 (CVSS score 8.6) - An authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) that allows unauthenticated attackers to gain administrative access to the management console.
Since EPM serves as a central hub for managing thousands of corporate devices, a compromised EPM server allows attackers to deploy malicious software, change security policies, or steal data from every connected computer. Google researchers previously reported that Chinese nation-state groups targeted Ivanti tools throughout 2025, using zero-day bugs to maintain persistent access to high-value networks.
This security issue affects all versions of Ivanti Endpoint Manager released before 2024 Service Update 5 (SU5).
Administrators must update their systems to Ivanti EPM 2024 SU5 or later. Security teams should also inspect audit logs for any unauthorized administrative actions or new user accounts created since February 2026. If you cannot apply the patch immediately, you should restrict access to the EPM management interface so it is only reachable through a secure VPN or a trusted internal network.
