CVE-2026-1603 – Ivanti Endpoint Manager
“Two serious bugs in Ivanti’s Endpoint Manager could let attackers steal credentials or read sensitive data — one without needing to log in at all.” “This update closes an open door and a database weakness that attackers could use to grab stored data or move deeper into networks.”
Ivanti released patches in Endpoint Manager 2024 SU5 to fix two notable vulnerabilities: a high-severity authentication bypass (CVE-2026-1603) and a medium-severity SQL injection issue (CVE-2026-1602). These affect versions of Ivanti Endpoint Manager prior to 2024 SU5.
CVE-2026-1603 carries a CVSS score of 8.6 (High). It allows a remote, unauthenticated attacker to bypass authentication controls and access sensitive stored credential information. Because no login is required, this issue presents significant risk, especially if the management interface is exposed to untrusted networks.
CVE-2026-1602 has a CVSS score of 6.5 (Medium). It is an SQL injection vulnerability that allows an authenticated attacker to manipulate database queries and read arbitrary data. While it requires valid access, it could be leveraged by insiders or attackers who have already obtained credentials.
At the time of disclosure, Ivanti reported no confirmed real-world exploitation of these vulnerabilities. The patch in 2024 SU5 addresses both issues.
Key Details
- Affected Product
- Ivanti Endpoint Manager
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-288