CISA has classified a high-severity Ivanti Endpoint Manager vulnerability (CVE-2026-1603) as actively exploited and ordered U.S. federal agencies to patch affected systems within three weeks. Ivanti released EPM 2024 SU5 last month to address this flaw and an SQL injection issue, while Shadowserver reports over 700 Internet-facing EPM instances and Ivanti says it has no confirmed exploitation reports. #IvantiEPM #CVE-2026-1603
Keypoints
- CISA added CVE-2026-1603 to its Known Exploited Vulnerabilities catalog and mandated patching by March 23 for federal agencies.
- CVE-2026-1603 enables unauthenticated remote attackers to bypass authentication and steal credentials via low-complexity cross-site scripting without user interaction.
- Ivanti released EPM 2024 SU5 to patch CVE-2026-1603 and an SQL injection vulnerability that could expose database data.
- Shadowserver tracks more than 700 Internet-facing Ivanti EPM instances, mostly in North America, with unclear exposure status.
- Ivanti reports no confirmed customer exploitation prior to public disclosure, though EPM flaws have been targeted in prior active attacks.