The Vulnerability
CVE-2026-1603 is an authentication bypass vulnerability in Ivanti Endpoint Manager (EPM) β the enterprise agent-based endpoint management platform used to manage Windows, macOS, and Linux devices. The flaw affects all versions of Ivanti EPM prior to the 2024 SU5 release and allows a remote, unauthenticated attacker to bypass login entirely.
The bypass mechanism is deceptively simple: by sending a crafted HTTP request that includes a specific numeric value (a βmagic numberβ) to protected EPM endpoints, an attacker can reach the EPM Credential Vault without providing any credentials. Horizon3 researchers confirmed that exploitation grants immediate access to encrypted credential blobs associated with high-privilege accounts β specifically Domain Administrator password hashes and service account credentials stored within the management system.
What Attackers Can Do
Ivanti EPM is deployed to centralise endpoint management across large organisations β it manages software distribution, patching, remote access, and device inventory for enterprise environments. The Credential Vault, the specific target of this vulnerability, stores the privileged credentials EPM uses to perform management operations across the estate.
Successful exploitation provides an attacker with:
- Domain Administrator NTLM hashes that can be used directly in pass-the-hash attacks or cracked offline to obtain plaintext passwords
- Service account credentials for systems integrated with EPM, which frequently include patch management servers, software deployment infrastructure, and monitoring systems
- A direct path to lateral movement β with Domain Admin hashes in hand, an attacker can authenticate to Active Directory and move freely through the environment
This is not a server-level compromise in isolation. An attacker who extracts Domain Admin credentials from EPM has effectively bypassed your entire authentication perimeter.
Exploitation Activity
CISA added CVE-2026-1603 to its Known Exploited Vulnerabilities catalogue on 9 March 2026, confirming active exploitation in the wild. The federal agency patch deadline is today β 23 March 2026. The tight timeline reflects CISAβs assessment that exposure is both widespread and actively targeted.
Ivantiβs previous endpoint management products have been a consistent target for threat actors due to their privileged access to managed environments. CVE-2026-1603 follows a pattern seen with prior Ivanti vulnerabilities where the management plane itself becomes the attack vector.
Affected Versions and Patch
The vulnerability affects all supported versions of Ivanti EPM prior to 2024 SU5. The fix is version 2024 SU5. Ivanti has released no temporary workaround β patching is the only complete remediation.
Notably, this is Ivanti Endpoint Manager (EPM) β the Windows endpoint management platform β distinct from Ivanti Endpoint Manager Mobile (EPMM), which manages mobile devices and has its own set of separate critical vulnerabilities.
Recommended Actions
- Upgrade Ivanti EPM to version 2024 SU5 immediately β this is the only complete remediation
- Rotate all credentials stored in the EPM Credential Vault: Domain Administrator accounts, service accounts, and any other accounts provisioned through EPM. Treat these as potentially compromised even before exploitation is confirmed
- Audit EPM access logs for anomalous HTTP requests, particularly unauthenticated requests reaching protected endpoint paths, from the past 60 days
- Verify Active Directory for signs of lateral movement: unexpected authentications from EPM server IP ranges, new admin group memberships, or unusual Kerberos ticket activity from the EPM service account
- Restrict EPM management interface access to dedicated management networks β the EPM web console should not be reachable from general corporate networks or the internet