IVANTI has issued patches for more than a dozen Endpoint Manager (EPM) vulnerabilities, including issues first disclosed in October 2025. The company’s advisory notes a high-severity authentication-bypass flaw, tracked as CVE-2026-1603, which could lead to credential exposure, and a medium-severity SQL injection, CVE-2026-1602, enabling reading of data from the database when exploited by authenticated attackers.
Both were resolved in EPM 2024 SU5, which also contains fixes for 11 additional medium-severity vulnerabilities Ivanti had warned about in October. The flaws were reported to Ivanti in November 2024 and were publicly disclosed by Trend Micro’s Zero Day Initiative (ZDI) as ‘0day’, though they were not technically zero-days. Ivanti says it is not aware of these vulnerabilities being exploited in the wild, but urges users to upgrade to EPM 2024 SU5 and notes that EPM version 2022 has reached end of life.
In addition, two EPM Mobile vulnerabilities previously disclosed as zero-days, CVE-2026-1281 and CVE-2026-1340, have also been updated with IoCs, a detection script, and guidance on false positives.