CVE-2026-1603

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager versions prior to 2024 SU5

Description An authentication bypass exists in Ivanti Endpoint Manager that allows a remote, unauthenticated attacker to leak stored credential data. This flaw, tracked as CVE-2026-1603, is actively being exploited in the wild. The root cause is improper authentication due to malformed header concatenation in the

WSAuth.dll

component, which allows session token verification to be bypassed via null byte injection, granting access to internal APIs. Attackers can bypass authentication to access the

/api/credentials/export

endpoint and retrieve encrypted credential blobs for high-privilege accounts, potentially compromising the entire endpoint management trust model and enabling lateral movement. The vulnerability impacts enterprise environments globally and represents a potential ransomware attack vector.

Recommendations Upgrade Ivanti Endpoint Manager to version 2024 SU5 immediately. If patching is not immediately possible, block internet access to EPM management ports (80/443). Implement strict IP allowlisting, limiting access to admin jump hosts only. Disable the

/remote/tools/api/v1/

endpoint via IIS rewrite rules. Hunt for requests to

/api/credentials/export

from unauthenticated IPs. Monitor for X-CSRF-Token headers containing %00 or null bytes. Watch for anomalous credential vault access outside of admin hours.