CVE-2026-1603

Warnung

Medienbericht

EPSS 65.39%
Veröffentlicht 10.02.2026 15:09:35
Zuletzt bearbeitet 10.03.2026 13:11:30
Quelle 3c1d8aa1-5a33-4ea4-8992-aadd64
CVE-Watchlists
Login
Unerledigt
Login

An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ivanti ≫ Endpoint Manager Version < 2024

Ivanti ≫ Endpoint Manager Version2024 Update-

Ivanti ≫ Endpoint Manager Version2024 Updatesu1

Ivanti ≫ Endpoint Manager Version2024 Updatesu2

Ivanti ≫ Endpoint Manager Version2024 Updatesu3

Ivanti ≫ Endpoint Manager Version2024 Updatesu3_security_release_1

Ivanti ≫ Endpoint Manager Version2024 Updatesu4

Ivanti ≫ Endpoint Manager Version2024 Updatesu4_security_release_1

09.03.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability

Schwachstelle

Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	65.39%	0.985

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3c1d8aa1-5a33-4ea4-8992-aadd6440af75	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://thehackernews.com/2026/03/cisa-flags-solarwinds-ivanti-and.html

Medienbericht

TheHackersNews

17.03.2026 22:20

https://www.heise.de/news/Angriffswarnung-fuer-Ivanti-Endpoint-Manager-SolarWinds-Web-Help-Desk-und-mehr-11204908.html

Medienbericht

heise Security

10.03.2026 08:32

https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024?language=en_US

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1603

US Government Resource