Security & Infrastructure Tools
CISA flags Ivanti EPM vulnerability as actively exploited – federal agencies must patch within 3 weeks
CISA has flagged the high‑severity Ivanti Endpoint Manager (EPM) vulnerability CVE‑2026‑1603 as actively exploited, ordering U.S. federal agencies to patch within three weeks. The flaw allows remote attackers to bypass authentication and steal credentials via low‑complexity cross‑site scripting attacks without user interaction. Although Ivanti released a patch in February 2026 that also addressed an SQL injection flaw, the agency’s alert indicates the vulnerability is now being used in the wild, despite no reported exploitation from Ivanti. The Shadowserver platform tracks over 700 Internet‑exposed EPM instances, primarily in North America, but their current vulnerability status remains unclear. CISA added CVE‑2026‑1603 to its Known Exploited Vulnerabilities catalog and issued a binding directive for federal agencies to patch by March 23. This follows previous advisories on other actively exploited Ivanti EPM flaws, underscoring the ongoing risk of endpoint management software vulnerabilities.
CISA has recently identified the high‑severity vulnerability CVE‑2026‑1603 in Ivanti Endpoint Manager (EPM) as being actively exploited in real‑world attacks. The flaw allows remote attackers to bypass authentication and steal credential data through low‑complexity cross‑site scripting, requiring no user interaction. Although Ivanti released a patch for this issue one month ago with the EPM 2024 SU5 update—alongside a fix for an SQL injection vulnerability that lets authenticated users read arbitrary database contents—the U.S. federal cybersecurity agency has now added CVE‑2026‑1603 to its Known Exploited Vulnerabilities (KEV) catalog and issued a binding operational directive mandating that all Federal Civilian Executive Branch agencies patch their systems within three weeks, by March 23.
The threat landscape for Ivanti EPM remains significant. Shadowserver’s monitoring platform currently tracks over 700 internet‑exposed EPM instances, predominantly in North America, yet the exact number of vulnerable deployments is unknown. While Ivanti has not reported any confirmed exploitation cases since the patch release, past incidents have demonstrated that attackers frequently target this product. In 2024, CISA warned federal agencies about three other EPM flaws—CVE‑2024‑13159, CVE‑2024‑13160, and CVE‑2024‑13161—that were actively exploited, and a year earlier it directed agencies to remediate the RCE flaw CVE‑2024‑29824.
Ivanti’s EPM is a comprehensive endpoint management solution that spans Windows, macOS, Linux, Chrome OS, and IoT platforms. With more than 40,000 customers and over 7,000 partners worldwide, the security implications of any vulnerability are far-reaching. The recent CISA alert underscores the urgency for organizations to ensure all EPM deployments are up‑to‑date, especially in environments where exposed instances could be a target for malicious actors exploiting authentication bypass or credential theft.