CISA warns Ivanti Endpoint Manager flaw is now under active attack

CISA has warned that a recently patched Ivanti Endpoint Manager vulnerability is now being exploited in real attacks. The flaw, tracked as CVE-2026-1603, lets a remote, unauthenticated attacker leak specific stored credential data, and CISA added it to the Known Exploited Vulnerabilities catalog on March 9, 2026.

The issue affects Ivanti Endpoint Manager versions before 2024 SU5. NIST’s entry for the CVE says the bug allows an authentication bypass that can expose stored credential data without requiring valid login credentials.

That makes this more than a routine patch notice. Endpoint Manager often sits close to the center of device administration, software deployment, and credential handling in enterprise networks, so a flaw that exposes stored credentials can create a fast path to deeper compromise. This risk is consistent with Ivanti’s own description of the product and the CVE impact published by NIST.

CISA’s KEV action also puts federal agencies on a clock. The agency set a remediation due date of March 23, 2026, and its required action says agencies must apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Ivanti disclosed the vulnerability in its February 2026 security update and pointed customers to its advisory for remediation steps. At that time, the company said it had no evidence of exploitation in the wild. By March 9, CISA had taken the stronger step of adding the bug to KEV, which means U.S. authorities now treat the issue as actively exploited.

The flaw carries a high severity rating, but public scoring differs slightly depending on the source. NIST shows a 7.5 CVSS v3.1 base score, while Ivanti’s CNA score listed in NVD is 8.6. Both scores place the bug in the high-severity range.

Ivanti patched CVE-2026-1603 in Endpoint Manager 2024 SU5. The same February update also addressed CVE-2026-1602, a SQL injection issue that allows a remote authenticated attacker to read arbitrary data from the database. That matters because defenders should not stop after addressing just one bug from the February release.

Trend Micro’s Zero Day Initiative publicly listed the Ivanti Endpoint Manager authentication bypass advisory in February 2026, which helps confirm the disclosure timeline even though its advisory page was unavailable when checked. NVD also shows the CVE was first published on February 10, 2026, and later updated after CISA added the bug to KEV.

What stands out here is the shift in status. On February 10, Ivanti said it had no evidence of active exploitation. On March 9, CISA added the flaw to KEV with a due date for federal remediation. For defenders, that changes the story from patch soon to patch now.

Key details

What admins should do now

• Upgrade Ivanti Endpoint Manager to 2024 SU5 or later.
• Review Ivanti’s February 2026 advisory and apply the vendor’s mitigation steps.
• Treat internet-exposed or widely reachable EPM servers as urgent review targets, because the bug does not require authentication. This is an inference based on the CVE description and KEV status.
• Check whether the February release fixes for CVE-2026-1602 also need deployment in your environment.
• Follow CISA BOD 22-01 guidance if you are in a federal environment or align internal deadlines to that March 23, 2026 date if you want a clear patch target.

Why this bug matters

• It exposes credential data from a central management product.
• It does not require valid credentials to start the attack.
• CISA has already confirmed exploitation strongly enough to add it to KEV.
• The fix already exists, which means unpatched systems now stand out as easier targets. This last point is an inference based on the patch and KEV status.

FAQ