Full Report
CISA flagged a high-severity Ivanti Endpoint Manager (EPM) vulnerability as actively exploited in attacks and ordered U.S. federal agencies to patch systems within three weeks. [...]
Analysis Summary
# Vulnerability: Ivanti Endpoint Manager (EPM) Authentication Bypass via XSS
## CVE Details
- **CVE ID:** CVE-2026-1603
- **CVSS Score:** High Severity (Specific numerical score not provided in article, but CISA categorizes it as High)
- **CWE:** Cross-Site Scripting (XSS) / Authentication Bypass
## Affected Systems
- **Products:** Ivanti Endpoint Manager (EPM)
- **Versions:** All versions prior to EPM 2024 Service Update 5 (SU5)
- **Configurations:** Internet-facing Ivanti EPM instances (approximately 700+ instances identified globally).
## Vulnerability Description
CVE-2026-1603 is a cross-site scripting (XSS) vulnerability that allows a remote, unauthenticated attacker to bypass authentication mechanisms. By leveraging this flaw, an attacker can steal sensitive credential data. The technical execution is described as "low-complexity" and, notably, requires no user interaction, which distinguishes it from traditional XSS attacks that typically require a victim to click a link.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA; added to KEV Catalog)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
- **PoC Availability:** Not explicitly mentioned in the article, though exploitation is ongoing.
## Impact
- **Confidentiality:** High (The flaw allows for the theft of credential data)
- **Integrity:** High (Authentication bypass allows unauthorized access to the management platform)
- **Availability:** Not specifically detailed, but full system compromise via stolen credentials is possible.
## Remediation
### Patches
- **Ivanti EPM 2024 SU5:** Users should update to this version (released February 2026) to remediate CVE-2026-1603 and an additional SQL injection flaw.
### Workarounds
- No specific workarounds are provided in the article; Ivanti and CISA strongly recommend an immediate update to the patched version.
- Restrict access to the EPM management interface to trusted internal networks or via VPN to reduce the attack surface.
## Detection
- **Indicators of Compromise:** Look for unusual administrative logins or unauthorized credential changes within the EPM environment.
- **Detection methods and tools:**
- Use the Shadowserver threat monitoring platform to check for exposed EPM instances.
- Federal agencies should follow CISA's directive (BOD 22-01) for scanning and remediation tracking.
## References
- **Vendor Advisory:** hxxps[://]hub[.]ivanti[.]com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Shadowserver Statistics:** hxxps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/