Ivanti EPM Flaw Patched, Now Under Active Attack
▼ Summary
– CISA has flagged a high-severity Ivanti EPM vulnerability (CVE-2026-1603) as actively exploited and ordered federal agencies to patch within three weeks.
– The flaw allows unauthenticated remote attackers to bypass authentication and steal credentials in low-complexity attacks requiring no user interaction.
– Ivanti patched the vulnerability a month ago, but states it has no evidence of customer exploitation prior to the public disclosure.
– Over 700 internet-facing Ivanti EPM instances are currently tracked, though it’s unclear how many remain vulnerable to this specific attack.
– This is part of a pattern, as CISA has previously warned agencies about and mandated patching for other exploited Ivanti EPM flaws.
A critical vulnerability in Ivanti’s Endpoint Manager software is now confirmed to be under active attack, prompting urgent patching directives from U.S. cybersecurity authorities. The flaw, identified as CVE-2026-1603, allows unauthenticated remote attackers to bypass security controls and steal sensitive credential data. This high-severity issue affects a widely used platform for managing devices across Windows, macOS, Linux, and other operating systems.
Despite Ivanti releasing a patch in its 2024 SU5 update a month ago, the Cybersecurity and Infrastructure Security Agency (CISA) has officially added the vulnerability to its Known Exploited Vulnerabilities catalog. This designation signals that malicious actors are currently leveraging the weakness in real-world attacks. CISA has issued a binding directive, giving all federal civilian executive branch agencies a strict three-week deadline to apply the necessary security updates.
The company states it has not received any confirmed reports of customer systems being compromised through this flaw prior to its public disclosure. The vulnerability was reportedly discovered through a responsible disclosure program. However, CISA’s action underscores the significant risk it poses, describing such flaws as frequent vectors for cyberattacks that threaten federal networks.
Security researchers note that over 700 Ivanti EPM instances are currently exposed directly to the internet, with a large concentration located in North America. It remains unclear how many of these systems remain unpatched and vulnerable to exploitation. The same Ivanti update that fixes CVE-2026-1603 also resolves a separate SQL injection vulnerability that could let authenticated attackers access arbitrary database information.
This incident continues a concerning pattern of threats targeting Ivanti’s endpoint management solutions. In the past year, CISA has repeatedly warned agencies to patch other actively exploited EPM vulnerabilities. The agency mandated fixes for a set of three flaws in 2024 and another critical bug, CVE-2024-29824, just last October. Ivanti’s software is deployed across a massive global customer base, serving more than 40,000 organizations through thousands of partners, which amplifies the potential impact of such security gaps.
The urgent federal directive serves as a critical reminder for all organizations using Ivanti EPM to immediately verify they are running the patched 2024 SU5 version. Proactive mitigation is essential, as threat actors consistently target these types of vulnerabilities once they become public knowledge, regardless of initial exploitation reports.
(Source: Bleeping Computer)
