Key Findings

• Ivanti released security patches for its Endpoint Manager (EPM) product, addressing two critical vulnerabilities.

• The most severe flaw, CVE-2026-1603, is a high-severity authentication bypass (CVSS 8.6) that allows remote unauthenticated attackers to access stored credentials.

• The second vulnerability, CVE-2026-1602, is a medium-severity SQL injection flaw (CVSS 6.5) that could enable data theft by authenticated attackers.

• There is no evidence of these vulnerabilities being actively exploited, but the risks are significant - successful attacks could lead to data compromise and further system intrusion.

• Ivanti strongly urges administrators to upgrade to EPM version 2024 SU5 immediately to mitigate these security gaps.

Background

Ivanti Endpoint Manager (EPM) is a comprehensive endpoint management solution that helps organizations centrally manage and secure their devices and users. It provides features such as patch management, software deployment, and remote access control.

CVE-2026-1603: Authentication Bypass

The more critical of the two vulnerabilities is CVE-2026-1603, a high-severity authentication bypass flaw with a CVSS score of 8.6. This vulnerability allows a remote unauthenticated attacker to bypass security checks and access stored credential data within the EPM system.

The advisory states: "An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data."

By exploiting this flaw, an attacker can directly access sensitive information without needing to steal a valid user's credentials first. This poses a significant risk, as the harvested credentials could then be used to further compromise the targeted environment.

CVE-2026-1602: SQL Injection

The second vulnerability, CVE-2026-1602, is a medium-severity SQL injection flaw with a CVSS score of 6.5. While less critical than the authentication bypass, it still represents a serious data privacy risk.

The advisory describes the issue as: "SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database."

An attacker who has already obtained some level of access to the EPM system can leverage this SQL injection vulnerability to directly query the database and extract sensitive information.

Mitigation

Ivanti has confirmed that these vulnerabilities are not being actively exploited at the time of disclosure. However, the risks posed by these flaws are significant, and administrators are strongly urged to apply the available patches immediately.

The affected versions of Ivanti Endpoint Manager are 2024 SU4 SR1 and prior. Administrators should upgrade to version 2024 SU5 or later to address these security issues and prevent potential data theft or further system compromise.

Sources

• https://securityonline.info/cve-2026-1603-remote-unauthenticated-attacker-can-steal-ivanti-epm-secrets/

• https://securityonline.info/crash-loop-palo-alto-networks-flaw-cve-2026-0229-forces-maintenance-mode/

• https://x.com/the_yellow_fall/status/2021803519557407042