CVE-2026-1603

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager versions prior to 2024 SU5

Description An authentication bypass exists in Ivanti Endpoint Manager that allows a remote, unauthenticated attacker to leak stored credential data. This flaw is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities catalog. Attackers can bypass authentication to access the /api/credentials/export endpoint and retrieve encrypted credential blobs, potentially compromising the entire endpoint management trust model and enabling lateral movement. The root cause is a malformed header concatenation in the WSAuth.dll component, allowing session token verification to be bypassed via null byte injection. The vulnerability is being actively exploited and poses a significant risk, particularly for organizations managing endpoints in a DIS environment.

Recommendations Ivanti Endpoint Manager versions prior to 2024 SU5: Upgrade to version 2024 SU5 immediately. If patching is not immediately possible, block internet access to EPM management ports (80/443), implement strict IP allowlisting for administrative access, and disable the /remote/tools/api/v1/ endpoint via IIS rewrite rules. Hunt for requests to /api/credentials/export from unauthenticated IPs and monitor for X-CSRF-Token headers containing %00 or null bytes, as well as anomalous credential vault access.