Security Alert: Ivanti EPM Vulnerability Exploited in the Wild

The Urgency of Patching Ivanti Endpoint Manager Vulnerability Highlighted by CISA

An urgent call to action was issued by the Cybersecurity and Infrastructure Security Agency (CISA) as they flagged a high-severity vulnerability in Ivanti Endpoint Manager (EPM) that is currently being actively exploited in attacks. The directive was aimed at U.S. federal agencies, mandating them to patch their systems within a three-week timeframe.

Designed as a comprehensive endpoint management solution, Ivanti’s EPM software caters to managing client devices running on various platforms including Windows, macOS, Linux, Chrome OS, and IoT.

Identified as CVE-2026-1603, this critical security loophole can be leveraged by remote threat actors without privileges to circumvent authentication and pilfer credential data through low-complexity cross-site scripting attacks that necessitate no user interaction.

Having addressed the vulnerability a month prior, Ivanti released Ivanti EPM 2024 SU5 which not only fixed CVE-2026-1603 but also resolved an SQL injection flaw that enables remote authenticated attackers to retrieve arbitrary data from the database.

Despite CISA’s classification of CVE-2026-1603 as actively exploited in the wild, Ivanti stated that there have been no reported instances of exploitation prior to the public disclosure when questioned by BleepingComputer on Monday.

In the original advisory, Ivanti mentioned, “We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program.”

At present, the Shadowserver threat monitoring platform is monitoring over 700 Internet-facing Ivanti EPM instances, predominantly in North America. However, there is no definitive information on the number of instances that remain vulnerable to CVE-2026-1603 attacks.

See also  Massive Security Breach: React2Shell Vulnerability Exposes 77k IP Addresses and Compromises 30 Organizations

Although specific details regarding attacks exploiting this vulnerability were not disclosed, CISA has included it in its Known Exploited Vulnerabilities (KEV) Catalog on Monday, emphasizing that such security vulnerabilities are frequently targeted by malicious cyber actors and pose substantial risks to the federal enterprise.

The directive from the U.S. cybersecurity agency mandated Federal Civilian Executive Branch (FCEB) agencies to patch their systems by March 23, within a three-week deadline as outlined in a binding operational directive (BOD 22-01) issued in November 2021.

While there is no current evidence of active exploitation of CVE-2026-1603 by Ivanti, threat actors often focus on leveraging Ivanti EPM vulnerabilities in their attacks.

A year ago, CISA cautioned federal agencies to fortify their networks against three other EPM vulnerabilities (CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161) that were exploited in the wild.

Additionally, in October 2024, CISA instructed U.S. government agencies to address another actively exploited EPM vulnerability (CVE-2024-29824).

Serving over 40,000 companies worldwide through a network of more than 7,000 partners, Ivanti offers system and IT asset management products.

Malware is getting smarter. The Red Report 2026 delves into how new threats utilize mathematics to evade sandbox detection and remain hidden in plain sight.

Explore our analysis of 1.1 million malicious samples to uncover the top 10 techniques and assess the effectiveness of your security measures.

Download The Report