CVE-2026-1603

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager versions prior to 2024 SU5

Description An authentication bypass exists in Ivanti Endpoint Manager, allowing a remote, unauthenticated attacker to leak stored credential data. This issue is caused by improper authentication, specifically a malformed header concatenation in the

WSAuth.dll

component that allows session token verification to be bypassed via null byte injection, granting access to internal APIs. Attackers can bypass authentication to access the

/api/credentials/export

endpoint and retrieve encrypted credential blobs for high-privilege accounts, potentially compromising the entire endpoint management trust model and enabling lateral movement. The vulnerability has been exploited in the wild and poses a significant risk of ransomware deployment. The root cause is CWE-287 (Improper Authentication).

Recommendations Upgrade to Ivanti Endpoint Manager 2024 SU5. If patching is not immediately possible, block internet access to EPM management ports (80/443). If patching is not immediately possible, implement strict IP allowlisting for administrative access only. If patching is not immediately possible, disable the

/remote/tools/api/v1/

endpoint via IIS rewrite rules. Monitor for requests to

/api/credentials/export

from unauthenticated IPs. Monitor for X-CSRF-Token headers containing %00 or null bytes. Watch for anomalous credential vault access outside of normal business hours.