Description
An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Published: 2026-02-10
Score: 8.6 High
EPSS: 54.8% High
KEV: Yes
Impact: Credential theft via authentication bypass
Action: Patch Now
AI Analysis

Impact

An authentication bypass in Ivanti Endpoint Manager, affecting all releases before 2024 SU5, permits a remote unauthenticated attacker to access and leak specific stored credential data. The breach compromises confidentiality by exposing sensitive authentication information.

Affected Systems

Ivanti Endpoint Manager, all versions released prior to 2024 SU5, including the 2024 updates 2024 SU1 through 2024 SU4 and their security releases.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, and an EPSS score of 55% reflects a significant likelihood of exploitation in the current environment. Listed in the CISA Known Exploited Vulnerabilities catalog, the issue is actively being exploited. Because the vulnerability allows remote unauthenticated access, an attacker can trigger the credential leak without needing valid credentials, making it a critical security concern for any environment running these versions of Endpoint Manager.

Generated by OpenCVE AI on April 17, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Ivanti Endpoint Manager patch (2024 SU5) or any later version that addresses the authentication bypass bug.
  • Enforce multi-factor authentication for all management interfaces to mitigate improper authentication weaknesses (CWE‑288).
  • Disable or remove default and unmanaged credentials, restricting API and remote access to internally trusted hosts (CWE‑306).
  • Continuously monitor authentication logs for abnormal credential export activity and investigate any anomalies promptly.

Generated by OpenCVE AI on April 17, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allows Remote Credential Leakage in Ivanti Endpoint Manager

Tue, 10 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
CPEs cpe:2.3:a:ivanti:endpoint_manager:2024:su4_sr1:*:*:*:*:*:* cpe:2.3:a:ivanti:endpoint_manager:2024:su4_security_release_1:*:*:*:*:*:*

Mon, 09 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-03-09T00:00:00+00:00', 'dueDate': '2026-03-23T00:00:00+00:00'}

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su4:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:su4_sr1:*:*:*:*:*:*

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti endpoint Manager
Vendors & Products Ivanti
Ivanti endpoint Manager

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Ivanti Endpoint Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-03-10T03:55:23.819Z

Reserved: 2026-01-29T09:18:49.146Z

Link: CVE-2026-1603

cve-icon Vulnrichment

Updated: 2026-02-10T16:00:25.939Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T16:16:10.540

Modified: 2026-03-10T13:11:30.467

Link: CVE-2026-1603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses