CVE-2026-1603

What is Ivanti Endpoint Manager (EPM)?

Ivanti Endpoint Manager (EPM) is an enterprise IT asset management and endpoint control platform used by organizations to centrally discover, inventory, deploy software to, and manage the lifecycle of Windows, macOS, Linux, and mobile devices across their network. It is distinct from Ivanti EPMM (Endpoint Manager Mobile) — EPM focuses on traditional endpoints rather than mobile fleet management.

Key functions include:

• Asset discovery and inventory — automatically discover and catalog all devices on the network, including hardware specifications, installed software, and patch status
• Software distribution — centrally deploy, update, and remove applications across thousands of endpoints simultaneously
• Patch management — identify missing patches and orchestrate patch deployment across the managed device fleet
• OS deployment — provision bare-metal and virtual machines with operating system images at scale
• Remote control and troubleshooting — allow IT administrators to remotely connect to and manage endpoints
• Credential management — store and use privileged credentials (domain admin accounts, service accounts) required to authenticate to and manage remote endpoints

Because EPM must authenticate to every managed endpoint, it necessarily holds a credential vault containing high-privilege accounts — typically domain administrator credentials or service accounts with broad network access. This vault is the primary attack target for CVE-2026-1603.

Overview

Ivanti Endpoint Manager (EPM) contains an authentication bypass vulnerability (CWE-288) in its API layer that allows a completely unauthenticated remote attacker to access the EPM Credential Vault and retrieve encrypted credential blobs for high-privilege accounts, including Domain Administrator hashes and service account credentials. The CVSS Scope metric is rated Changed because successful exploitation extends impact beyond the EPM server itself — the stolen credentials enable lateral movement and privilege escalation across the entire managed enterprise environment.

The vulnerability was patched in February 2026, but Ivanti actively confirmed exploitation in the wild by the time CISA added it to the KEV catalog on March 9, 2026 — approximately one month after the patch was released. This pattern (exploitation confirmed post-patch) suggests attackers were either exploiting it as a zero-day before the advisory, or rapidly weaponized it after Ivanti's disclosure.

Affected Versions

Fix: Upgrade to Ivanti Endpoint Manager 2024 SU5, available through the Ivanti License System (ILS). No workarounds are available — the fix requires the software update.

Technical Details

CVE-2026-1603 is a CWE-288 authentication bypass through an alternate path or channel. Certain API endpoints in Ivanti EPM that handle credential vault operations apply authentication checks in a way that can be bypassed by manipulating a specific HTTP request header.

The "magic number" bypass: By including the integer value 64 in a specific header field of a crafted HTTP request, an attacker causes the EPM application to skip normal authentication verification and treat the request as authorized. This is a malformed header concatenation flaw — the authentication logic incorrectly evaluates the header value and grants access through an alternate code path that bypasses credential checks.

What an attacker retrieves: Once the authentication check is bypassed, the attacker can query EPM's credential vault and retrieve encrypted credential blobs associated with accounts EPM uses to manage remote endpoints. These typically include:

• Domain Administrator password hashes
• Service account credentials with broad network access
• Local administrator credentials used for endpoint provisioning

Attack characteristics:

• No credentials, session, or prior access required
• Single crafted HTTP request sufficient to trigger the bypass
• The retrieved credential blobs, once decrypted or cracked offline, yield plaintext or hash-equivalent credentials for lateral movement
• CVSS Integrity: None — EPM itself is not directly modified, but the downstream impact of stolen admin credentials is severe

CWE-288 (Authentication Bypass Using an Alternate Path or Channel): The product provides multiple paths to reach a security-critical function, but only some of those paths enforce authentication. An attacker uses the unprotected path to bypass the authentication that would otherwise block access.

Discovery

Horizon3.ai published detailed technical research on CVE-2026-1603 and the broader class of credential coercion vulnerabilities in Ivanti EPM. They also released a Rapid Response assessment test enabling organizations to check whether their internet-facing and internal EPM instances are exposed to the authentication bypass. The vulnerability was included in Ivanti's February 2026 security advisory alongside multiple other EPM flaws.

Exploitation Context

Exploitation was confirmed active as of the March 9, 2026 KEV addition — approximately one month after Ivanti's February 10, 2026 patch release. The gap between patch and KEV listing is consistent with either:

• Pre-patch zero-day exploitation that Ivanti was aware of when issuing the advisory, with public confirmation delayed
• Rapid post-patch exploitation, where attackers reverse-engineered the patch to identify and weaponize the bypass within weeks

Either scenario reflects a well-resourced threat actor with the capability to act quickly on Ivanti vulnerability disclosures. Ivanti products have been a sustained target for advanced persistent threat (APT) groups in prior years; EPM's credential vault makes it particularly attractive — compromising a single EPM server can yield domain administrator access to every managed endpoint in the organization.

The CVSS Scope: Changed rating underscores the lateral movement risk: stealing EPM's stored credentials does not just affect the EPM server, it directly enables attack paths against every system those credentials can reach — potentially the entire Active Directory domain.

Remediation

1. Upgrade to EPM 2024 SU5 immediately — this is the only fix; no workarounds exist. Update through the Ivanti License System (ILS)
2. Restrict network access to the EPM console — the EPM management interface should not be reachable from the internet or from untrusted network segments; enforce firewall rules to limit access to authorized IT management subnets only
3. Rotate all credentials stored in EPM — treat any credentials held in the EPM Credential Vault as potentially compromised; rotate Domain Administrator and service account passwords, invalidate Kerberos tickets (run klist purge and issue new TGTs), and audit Active Directory for unauthorized account changes or new privileged accounts
4. Hunt for unauthorized access — review EPM web server access logs for requests to credential vault API endpoints from unexpected source IPs, particularly requests with unusual header values; look for any external IPs that accessed EPM before the patch was applied
5. Check for lateral movement indicators — review Active Directory authentication logs for anomalous use of managed service accounts or domain admin credentials, particularly from hosts that are not the EPM server
6. Audit all managed endpoints — if credentials were stolen, an attacker with domain admin access may have moved laterally to managed endpoints; look for new scheduled tasks, services, or accounts created around the exploitation window
7. Discontinue use if upgrading to 2024 SU5 is not achievable before the BOD 22-01 deadline — an unpatched internet-reachable EPM server exposes your entire domain admin credential set