CISA has added CVE-2026-1603, an authentication bypass vulnerability affecting Ivanti Endpoint Manager (EPM), to its Known Exploited Vulnerabilities (KEV) Catalog. That matters because KEV entries are not theoretical risks—they are vulnerabilities CISA says have already been exploited in the wild. For MSPs, internal IT teams, and organizations running Ivanti EPM, this instantly moves the issue into the patch-now, verify-now category.
What is the threat?
According to NIST’s National Vulnerability Database, CVE-2026-1603 is an authentication bypass flaw in Ivanti Endpoint Manager versions before 2024 SU5. A remote, unauthenticated attacker may be able to leak specific stored credential data from an affected system. In practical terms, that means an internet-exposed or otherwise reachable EPM instance could give an attacker a foothold into sensitive administrative data without requiring valid credentials first.
Why this is important right now
- CISA added it to KEV on March 9, 2026, confirming active exploitation.
- The issue affects a product commonly used for endpoint administration, making it especially relevant for MSPs and IT service providers.
- Credential exposure raises the stakes because it can support follow-on attacks, lateral movement, persistence, and broader compromise.
- Unauthenticated attack paths are always high priority since attackers do not need an initial valid account to start exploiting the weakness.
What businesses should do immediately
- Identify all Ivanti Endpoint Manager instances in production, test, DR, and hosted environments.
- Upgrade to Ivanti Endpoint Manager 2024 SU5 or later following vendor guidance.
- Restrict access to EPM management interfaces so they are not publicly reachable from the internet.
- Review logs and monitoring data for unusual authentication behavior, configuration changes, or signs of credential access.
- Rotate sensitive credentials if there is any indication the system was exposed or compromised.
- Check segmentation and admin access controls to reduce blast radius if a management platform is targeted.
What MSPs should tell clients
If your organization or your IT provider uses Ivanti Endpoint Manager, this is not the kind of advisory to leave in the weekly patch queue. The combination of active exploitation, unauthenticated access, and potential credential exposure makes this a same-day remediation priority. Even if your EPM server is not directly internet-facing, attackers regularly chain internal weaknesses after phishing, VPN compromise, or remote access abuse.
The bigger lesson is familiar but still important: tools used to manage endpoints, deploy software, or administer infrastructure are high-value targets. When one of those products lands in the KEV catalog, response speed matters more than perfect change-window timing.
QuickMSP takeaway
CVE-2026-1603 is a live, credible threat with immediate relevance to any business relying on Ivanti Endpoint Manager. If you have not already validated your version, applied the vendor update, and reviewed exposure, now is the time. For small and midsize businesses, waiting on actively exploited management-platform vulnerabilities is a gamble that rarely ends well.
Sources
- CISA Known Exploited Vulnerabilities Catalog: CVE-2026-1603 entry
- NIST NVD: CVE-2026-1603 detail page
- Ivanti advisory reference listed by NVD: Vendor advisory