Description
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Published: 2026-02-10
Score: 8.6 High
EPSS: 81.1% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication bypass in Ivanti Endpoint Manager, affecting all releases before 2024 SU5, permits a remote unauthenticated attacker to access and leak specific stored credential data. This weakness is manifested as Improper Authentication (CWE‑288) and Missing Authentication for Critical Operation (CWE‑306). The breach compromises confidentiality by exposing sensitive authentication information.

Affected Systems

Ivanti Endpoint Manager, all versions released prior to 2024 SU5, including the 2024 updates 2024 SU1 through 2024 SU4 and their security releases.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while an EPSS score of 81% signals a relatively high probability of exploitation. This vulnerability is listed in the CISA KEV catalog, indicating that active exploitation may already be occurring. Because the vulnerability allows remote unauthenticated access, an attacker can trigger a credential leak without needing valid credentials, so patching remains a priority.

Generated by OpenCVE AI on June 18, 2026 at 05:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Ivanti Endpoint Manager patch (2024 SU5) or any later version that addresses the authentication bypass bug.
  • Enforce multi‑factor authentication for all management interfaces to mitigate improper authentication weaknesses (CWE‑288).
  • Disable or remove default and unmanaged credentials, restricting API and remote access to internally trusted hosts (CWE‑306).
  • Continuously monitor authentication logs for abnormal credential export activity and investigate any anomalies promptly.

Generated by OpenCVE AI on June 18, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allowing Credential Leak in Ivanti Endpoint Manager

Wed, 17 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Credential Leakage in Ivanti Endpoint Manager

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Credential Leakage in Ivanti Endpoint Manager

Fri, 05 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Enables Remote Credential Leak in Ivanti Endpoint Manager

Sat, 23 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Enables Remote Credential Leak in Ivanti Endpoint Manager

Mon, 11 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Credential Leakage in Ivanti Endpoint Manager

Tue, 28 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Credential Leakage in Ivanti Endpoint Manager

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Exposes Stored Credentials in Ivanti Endpoint Manager

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Exposes Stored Credentials in Ivanti Endpoint Manager

Sun, 19 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Remote Credential Leakage in Ivanti Endpoint Manager

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Remote Credential Leakage in Ivanti Endpoint Manager

Tue, 10 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
CPEs cpe:2.3:a:ivanti:endpoint_manager:2024:su4_sr1:*:*:*:*:*:* cpe:2.3:a:ivanti:endpoint_manager:2024:su4_security_release_1:*:*:*:*:*:*

Mon, 09 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-03-09T00:00:00+00:00', 'dueDate': '2026-03-23T00:00:00+00:00'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su4:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su4_sr1:*:*:*:*:*:*

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti endpoint Manager
Vendors & Products Ivanti
Ivanti endpoint Manager

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Ivanti Endpoint Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-03-10T03:55:23.819Z

Reserved: 2026-01-29T09:18:49.146Z

Link: CVE-2026-1603

cve-icon Vulnrichment

Updated: 2026-02-10T16:00:25.939Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T16:16:10.540

Modified: 2026-06-17T10:16:09.150

Link: CVE-2026-1603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T05:15:16Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel

  • CWE-306

    Missing Authentication for Critical Function