- March 9, 2026
Known Abuse of Ivanti EPM Authentication Bypass (CVE-2026-1603)
Known Abuse of Ivanti's Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) was reported by CISA's Known Exploited Vulnerabilities Catalog (KEV).
Executive Summary
On Feb 10th, Ivanti published CVE-2026-1603 to NIST disclosing an authentication bypass in Ivanti Endpoint Manager that allowed a "remote unauthenticated attacker to leak specific stored credential data". Three days later WatchTowr Labs discovered and disclosed a hard-coded logintype key that if exploited, bypassed authentication mechanisms allowing an attacker privileged access on an affected device. On March 9th the flaw was confirmed as being actively exploited in the wild when the CVE was added to CISA’s Known Exploited Vulnerabilities Catalog (KEV).
Authenticating with this logintype allows future compromise of user sessions and access of arbitrary data on the Endpoint Manager host. Subsequently, Ivanti updated their Security Advisory to claim the vulnerability required an “authenticated user” to bypass authorization.
Given confirmed active exploitation and public disclosure, Beazley Security believes that additional threat actors will continue to leverage this flaw to gain unauthorized access unpatched Ivanti systems. Organizations operating Ivanti Endpoint Manager systems should review systems for signs of compromise and patch immediately.
Affected Systems or Products
Product | Affected Versions | Fixed Versions | Availability |
|---|---|---|---|
Ivanti Endpoint Manager (EPM) | 2024 SU4 SR1 and prior | 2024 SU5 | Available no |
Mitigations / Workarounds
Affected organizations that are unable to immediately patch should ensure strict network access controls are in place. Any organization with a publicly exposed Ivanti EPM product should immediately rotate passwords and access for all EPM accounts, as well as audit authentication logs for any unexplained access.
Patches
Ivanti has released fixes for all supported versions of the Ivanti Endpoint Manager in their Ivanti License System portal which requires login.
Indicators of Compromise
While Ivanti stated it was unaware of customer exploitation prior to public disclosure, CISA confirmed active exploitation of CVE-2026-1603 in the wild as of March 9, 2026, when the vulnerability was added to its KEV catalog.
Ivanti has not published specific indicators of compromise tied to active exploitation of this vulnerability, however Beazley Security recommends organizations monitor for the following indicators:
Unusual or unexpected access attempts against Ivanti EPM services
Unexpected or anomalous administrative actions within the EPM console, such as unauthorized user creations
Unexpected or suspicious outbound connections originating from the EPM server
We believe that outside of WAF logs that could identify this specific parameter being passed to an EPM instance, little can be discerned to identify compromises of publicly accessible Ivanti EPM systems running vulnerable software versions.
Threat Intelligence
WatchTowr disclosed that CVE-2026-1603’s authentication bypass flaw involves providing an undocumented logintype parameter a value of 64. When packaged within a POST request to the /RemoteControlAuth/api/Auth endpoint, affected systems improperly grant access without validating credentials
Given active exploitation, and low complexity of attack there is a significant increase in the likelihood of widespread exploitation and automated scanning campaigns.
Technical Details
WatchTowr disclosed that CVE-2026-1906’s authentication bypass is an undocumented logintype parameter with a value of 64 provided as a POST request to the /RemoteControlAuth/api/Auth endpoint in Ivanti EPM bypasses regular authenticated attempts.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.