Ivanti Endpoint Manager under active exploitation

Threat summary

On March 9, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) added an actively exploited vulnerability affecting Ivanti Endpoint Manager (EPM) to the Known Exploited Vulnerabilities (KEV) catalog.

Ivanti Endpoint Manager is a centralized endpoint management platform commonly deployed to manage and administer devices across Windows, macOS, Linux, Chrome OS, and Internet of Things (IoT) environments. Because the platform typically operates with elevated administrative privileges and manages authentication material for remote administration, vulnerabilities affecting the core server carry elevated risk.

The flaw, tracked as CVE-2026-1603, affects EPM versions prior to 2024 SU5, which was released in February 2026. The issue is described as an authentication bypass caused by an alternate authentication path.

In Ivanti EPM, the core server exposes multiple web-based interfaces and application programming interfaces used for management and automation. While these interfaces are intended to be protected by authentication, this vulnerability allows access through an alternate path where authentication is not consistently enforced.

As a result, a threat actor can send a crafted request to a reachable EPM service without establishing a valid session, causing the server to treat the request as authenticated and return sensitive data, including stored credentials. Exploitation requires network reachability to the core server but does not require credentials, a user account, or local system access. Ivanti assigned the issue a Common Vulnerability Scoring System (CVSS) score of 8.6, rated High.

Analysis

The direct impact described by Ivanti is the exposure of credential material stored within the Endpoint Manager system. If compromised, these credentials could enable unauthorized access to managed systems or supporting infrastructure, depending on how they are used.

Ivanti Endpoint Manager has a well-documented history of being targeted and actively exploited, particularly when core servers are network-reachable. Over the past several years, multiple vulnerabilities affecting the product have been added to the CISA KEV catalog, indicating real-world exploitation.

Ivanti has confirmed that CVE-2026-1603 affects Ivanti Endpoint Manager, which is the current product name for what was previously branded as LANDesk Management Suite and commonly referred to as LDMS or LANDesk. These names represent the same product lineage. Any deployment still referred to internally or contractually as LANDesk or LDMS is likely in scope if it maps to Ivanti Endpoint Manager versions prior to 2024 SU5.

Ivanti’s primary mitigation recommendation is to update affected deployments to Endpoint Manager 2024 SU5, which resolves CVE-2026-1603. Ivanti’s advisory notes that patching focuses on the core server and remote consoles, and that Endpoint Manager agents do not contain the vulnerability and can follow normal update cycles. The advisory also states that the vulnerability is not present in Ivanti Cloud Service Appliance (CSA) deployments.

Beyond applying the update, organizations can take additional steps to reduce exposure and limit the impact of a potential compromise.

Ivanti Endpoint Manager core servers should not be internet‑facing unless there is a clear operational need. Where possible, access should be restricted to internal administrative networks or dedicated jump hosts, with firewall rules that explicitly limit who can reach management interfaces. Placing the core server in a segmented network zone, separate from user and production systems, can help contain damage if credentials are exposed.

For environments that require external connectivity, a reverse proxy or web application firewall in front of the Endpoint Manager server can provide basic request inspection and help block unexpected or malformed traffic to management and API endpoints. Limiting inbound access to known source IP ranges and enforcing strict network allow‑listing can further reduce the attack surface.

Credential exposure is a key risk in this case, and organizations can reduce risk by reviewing which service accounts and credentials are stored or managed by Endpoint Manager and rotating any high‑privilege credentials, particularly those with broad administrative or domain‑level access. Where feasible, privileges should be reduced to the minimum required, and sensitive access should be protected using additional controls outside of the Endpoint Manager platform.

Reviewing web, application, and authentication logs for unusual access patterns, including unauthenticated requests to management endpoints, unexpected credential access, or activity occurring outside normal administrative workflows can point to additional exposure. Network monitoring tools can help identify abnormal traffic targeting the core server, which may indicate probing or exploitation attempts.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up