8.6

CVE-2026-1603

Warnung
Medienbericht
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IvantiEndpoint Manager Version < 2024
IvantiEndpoint Manager Version2024 Update-
IvantiEndpoint Manager Version2024 Updatesu1
IvantiEndpoint Manager Version2024 Updatesu2
IvantiEndpoint Manager Version2024 Updatesu3
IvantiEndpoint Manager Version2024 Updatesu3_security_release_1
IvantiEndpoint Manager Version2024 Updatesu4
IvantiEndpoint Manager Version2024 Updatesu4_security_release_1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login

09.03.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability

Schwachstelle

Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 80.56% 0.996
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3c1d8aa1-5a33-4ea4-8992-aadd6440af75 8.6 3.9 4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
17.03.2026 22:20
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
10.03.2026 08:32
https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603
US Government Resource