Ivanti just patched a critical authentication bypass in its Endpoint Manager that hands attackers stored credentials on a silver platter—no login required.
The vulnerability, tracked as CVE-2026-1603, scores 8.6 on the severity scale and affects all EPM 2024 versions prior to the newly released SU5 update. What makes this particularly nasty is the complete absence of barriers: an attacker sitting anywhere on the internet can ping the vulnerable server and extract credential data without even pretending to have an account.
"An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data," according to Ivanti's security advisory. The flaw essentially breaks the first rule of access control—making sure strangers can't see your secrets.
The timing couldn't be worse for enterprises already reeling from Ivanti's troubled security track record. Just weeks ago, the company disclosed actively exploited zero-days in its Endpoint Manager Mobile (EPMM) product, where attackers deployed web shells for persistent access. Now, EPM administrators face another sprint to patch before threat actors start mass-scanning for vulnerable installations.
Ivanti's update also fixes CVE-2026-1602, a medium-severity SQL injection (CVSS 6.5) that lets authenticated users query the database directly. While less severe—it requires existing credentials—it's still a data privacy nightmare for anyone already inside the network, whether through phishing or a compromised account.
Security researcher "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044" from Trend Zero Day Initiative reported both flaws responsibly in November 2024. Ivanti confirmed they're "not aware of any customers being exploited by these vulnerabilities at the time of disclosure," though public disclosure now puts organisations in a race against attackers reverse-engineering the patches.
The fix bundle includes patches for 11 other medium-severity bugs from October 2025, making EPM 2024 SU5 a critical rollout. IT teams running EPM 2024 SU4 SR1 or earlier should download the update from Ivanti's License System immediately and verify deployment across all instances.
For organisations that can't patch instantly, network segmentation and restricting EPM access to trusted IP ranges can buy time—but only barely. Authentication bypasses don't care about firewalls when the vulnerable service sits inside the perimeter.