CISA flags Ivanti EPM vulnerability as actively exploited – federal agencies must patch within 3 weeks | Security & Infrastructure Tools

CISA has recently identified the high‑severity vulnerability CVE‑2026‑1603 in Ivanti Endpoint Manager (EPM) as being actively exploited in real‑world attacks. The flaw allows remote attackers to bypass authentication and steal credential data through low‑complexity cross‑site scripting, requiring no user interaction. Although Ivanti released a patch for this issue one month ago with the EPM 2024 SU5 update—alongside a fix for an SQL injection vulnerability that lets authenticated users read arbitrary database contents—the U.S. federal cybersecurity agency has now added CVE‑2026‑1603 to its Known Exploited Vulnerabilities (KEV) catalog and issued a binding operational directive mandating that all Federal Civilian Executive Branch agencies patch their systems within three weeks, by March 23.

The threat landscape for Ivanti EPM remains significant. Shadowserver’s monitoring platform currently tracks over 700 internet‑exposed EPM instances, predominantly in North America, yet the exact number of vulnerable deployments is unknown. While Ivanti has not reported any confirmed exploitation cases since the patch release, past incidents have demonstrated that attackers frequently target this product. In 2024, CISA warned federal agencies about three other EPM flaws—CVE‑2024‑13159, CVE‑2024‑13160, and CVE‑2024‑13161—that were actively exploited, and a year earlier it directed agencies to remediate the RCE flaw CVE‑2024‑29824.

Ivanti’s EPM is a comprehensive endpoint management solution that spans Windows, macOS, Linux, Chrome OS, and IoT platforms. With more than 40,000 customers and over 7,000 partners worldwide, the security implications of any vulnerability are far-reaching. The recent CISA alert underscores the urgency for organizations to ensure all EPM deployments are up‑to‑date, especially in environments where exposed instances could be a target for malicious actors exploiting authentication bypass or credential theft.

CISA flags Ivanti EPM vulnerability as actively exploited – federal agencies must patch within 3 weeks

Related Posts

Reducing security operations complexity with Wazuh Cloud

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Get the next deep dive in your inbox

Stay Updated

Check Point links VPN zero-day attacks to Qilin ransomware gang

Oxford University discloses data breach after careers platform hack

Microsoft says bug in classic Outlook hides the mouse pointer

Product

Learn

Company

Legal

Stay Updated

Browse by Category

Stay Updated