Ivanti patched over a dozen Endpoint Manager flaws, including a high-severity auth bypass that let attackers steal credentials remotely. Ivanti released patches for more than a dozen vulnerabilities in Endpoint Manager, including flaws disclosed in October 2025. The update addresses a high-severity authentication bypass, tracked as CVE-2026-1603 (CVSS score of 8.6), that attackers could exploit […] Ivanti patched over a dozen Endpoint Manager flaws, including a high-severity auth bypass that let attackers steal credentials remotely. Ivanti released patches for more than a dozen vulnerabilities in Endpoint Manager, including flaws disclosed in October 2025. The update addresses a high-severity authentication bypass, tracked as CVE-2026-1603 (CVSS score of 8.6), that attackers could exploit remotely without credentials to access and steal sensitive login information. An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data. “An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.” reads the advisory. The company also fixed a medium-severity SQL injection, tracked as CVE-2026-1602 (CVSS score of 6.5), in Ivanti Endpoint Manager. “SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.” continues the advisory. Trend Micro’s ZDI reported the flaws to Ivanti in November 2024, threat actors could exploit the bugs to escalate privileges and run code remotely. The company said it is not aware of attacks in the wild exploiting these vulnerabilities before public disclosure. EPM 2024 SU5 addressed both vulnerabilities. In December, the software firm addressed a newly disclosed vulnerability, tracked as CVE-2025-10573 (CVSS score 9.6), in its Endpoint Manager (EPM) solution. The vulnerability is a Stored XSS that could allow a remote unauthenticated attacker to execute arbitrary “Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.” reads the advisory. The flaw impacts Ivanti Endpoint Manager prior to version 2024 SU4 SR1. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, Endpoint Manager)
Published: 2026-02-12T06:13:41