CVE-2026-1603

An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US	Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603	US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ivanti:endpoint_manager::::::::
	cpe:2.3:a:ivanti:endpoint_manager:2024:-::::::
	cpe:2.3:a:ivanti:endpoint_manager:2024:su1::::::
	cpe:2.3:a:ivanti:endpoint_manager:2024:su2::::::
	cpe:2.3:a:ivanti:endpoint_manager:2024:su3::::::
	cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1::::::
	cpe:2.3:a:ivanti:endpoint_manager:2024:su4::::::
	cpe:2.3:a:ivanti:endpoint_manager:2024:su4_security_release_1::::::

History

10 Mar 2026, 13:11

Type	Values Removed	Values Added
CPE	cpe:2.3:a:ivanti:endpoint_manager:2024:su4_sr1::::::	cpe:2.3:a:ivanti:endpoint_manager:2024:su4_security_release_1::::::
References	~~() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603 -~~	() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603 - US Government Resource
CWE		CWE-306

09 Mar 2026, 19:16

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603 -
Summary		(es) Una omisión de autenticación en Ivanti Endpoint Manager anterior a la versión 2024 SU5 permite a un atacante remoto no autenticado filtrar datos de credenciales almacenados específicos.

12 Feb 2026, 15:20

Type	Values Removed	Values Added
First Time		Ivanti Ivanti endpoint Manager
CPE		cpe:2.3:a:ivanti:endpoint_manager:2024:su2:::::: cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:::::: cpe:2.3:a:ivanti:endpoint_manager:2024:su4_sr1:::::: cpe:2.3:a:ivanti:endpoint_manager:2024:su4:::::: cpe:2.3:a:ivanti:endpoint_manager:2024:su3:::::: cpe:2.3:a:ivanti:endpoint_manager:2024:su1:::::: cpe:2.3:a:ivanti:endpoint_manager:::::::: cpe:2.3:a:ivanti:endpoint_manager:2024:-::::::
References	~~() https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US -~~	() https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US - Vendor Advisory

10 Feb 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-10 16:16

Updated : 2026-03-10 13:11

NVD link : CVE-2026-1603

Mitre link : CVE-2026-1603

CVE.ORG link : CVE-2026-1603

JSON object : View

Products Affected

ivanti

endpoint_manager

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-306

Missing Authentication for Critical Function

8.6 /10