IVANTI has patched more than a dozen Endpoint Manager flaws, including a high-severity auth bypass that could let attackers steal credentials remotely, tracked as CVE-2026-1603 with a CVSS score of 8.6.
According to Ivanti, an authentication bypass in Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data, and a medium-severity SQL injection tracked as CVE-2026-1602 could allow a remote authenticated attacker to read arbitrary data from the database.
Trend Micro’s ZDI reported the flaws to Ivanti in November 2024, with the company saying there were no known attacks in the wild before public disclosure; the fixes apply to EPM 2024 SU5, and a newly disclosed vulnerability tracked as CVE-2025-10573 (CVSS 9.6) was addressed in December for Endpoint Manager.
The Stored XSS flaw, which could enable a remote unauthenticated attacker to execute arbitrary JavaScript in an administrator session, affects Endpoint Manager prior to version 2024 SU4 SR1 and is noted in the advisory. The article notes that attackers could escalate privileges and run code remotely, though Ivanti says there is no evidence of exploitation in the wild prior to disclosure. 12 February 2026