CISA has added CVE-2026-1603 to the Known Exploited Vulnerabilities (KEV) catalogue. The affected vendor is Ivanti, and the product is Ivanti Endpoint Manager (EPM). The vulnerability, Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability, is an authentication bypass via an alternate path or channel that could allow a remote unauthenticated attacker to leak specific stored credential data. Date added to KEV: 9 March 2026.
Technical detail: The flaw is an authentication bypass in EPM that enables a remote, unauthenticated attacker to access and exfiltrate stored credential data. The CVSS v3.1 base score is 8.6 (HIGH). A patch is available from Ivanti, and the vendor’s February 2026 security advisory provides mitigations and guidance for both on‑premises and cloud deployments.
Exploitation and risk: The KEV listing confirms active exploitation in the wild. There is no publicly known ransomware campaign linked to this CVE (Known Ransomware Campaign Use: Unknown). The remediation due date is 23 March 2026.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Directly affected: FCEB agencies. All organisations should review their exposure and prioritise remediation for systems running Ivanti Endpoint Manager.
Final sentence: For full details, see the NVD entry and the CISA KEV catalogue.