Ivanti Patches High-Severity Authentication Bypass in Endpoint Manager

Ivanti has released a critical security update for its Endpoint Manager (EPM) 2024 software to address two significant vulnerabilities. These issues allow attackers access to laptops, servers, and other infrastructure components and exfiltrate sensitive data and credentials

Vulnerabilities summary:

• CVE-2026-1603 (CVSS score 8.6) - An authentication bypass vulnerability that allows a remote, unauthenticated attacker to leak specific stored credential data. By sending a specially crafted request to the EPM server, an attacker can retrieve sensitive information without providing a username or password. This flaw removes the primary barrier to entry, enabling attackers to harvest credentials remotely and potentially use them for lateral movement.
• CVE-2026-1602 (CVSS score 6.5) - A SQL injection vulnerability that permits a remote authenticated attacker to read arbitrary data from the underlying database. The system does not properly sanitize user-supplied input in database queries, allowing an attacker with valid login access to manipulate commands and dump sensitive configuration or user details. While this requires initial access, it allows for significant data exfiltration and internal reconnaissance.

Successful exploitation could lead to compromise of stored credentials making it easy to access other high-value systems. Because EPM is a centralized management tool, a breach exposes every managed device to potential takeover or data theft.

The vulnerabilities affect Ivanti Endpoint Manager (EPM) version 2024 SU4 SR1 and all prior versions. The update also includes fixes for 11 previously disclosed medium-severity vulnerabilities, consolidating multiple security patches into a single release. 

Organizations should update to Ivanti EPM 2024 SU5. The patch is available through the Ivanti License System (ILS).