CISA: Recently Patched Ivanti EPM Flaw Now Actively Exploited

The inclusion of CVE‑2026‑1603 in CISA’s Known Exploited Vulnerabilities (KEV) catalog marks a rare escalation for a flaw that was already patched in Ivanti’s Endpoint Manager (EPM) suite. Ivanti EPM powers device management for more than 40,000 enterprises, spanning Windows, macOS, Linux, Chrome OS, and IoT environments. By flagging the vulnerability as “actively exploited,” the agency signals that threat actors are likely scanning for unpatched installations despite the vendor’s release of the 2024 SU5 update. This move aligns with CISA’s broader effort to harden the federal enterprise against supply‑chain attacks.

Technically, CVE‑2026‑1603 is a low‑complexity cross‑site scripting (XSS) bug that bypasses authentication and exfiltrates credential data without any user interaction. The attack vector requires only a reachable web interface, making the more than 700 internet‑facing EPM instances identified by Shadowserver attractive targets. Ivanti’s patch, bundled in the 2024 SU5 service update, also remedied an unrelated SQL injection issue, but the rapid addition to the KEV list suggests that some organizations have not yet applied the fix. Past incidents—such as the 2024‑29824 exploit—demonstrate how quickly attackers can weaponize similar flaws.

For federal agencies and private firms alike, the March 23 deadline imposes a tight remediation window that underscores the need for automated patch deployment and continuous asset discovery. Enterprises should inventory all EPM endpoints, verify the SU5 version, and prioritize remediation of any legacy installations still exposed to the internet. Moreover, integrating threat‑intelligence feeds like Shadowserver into security operations can surface vulnerable assets before adversaries exploit them. By treating Ivanti’s recent vulnerabilities as a case study, organizations can reinforce their broader vulnerability‑management lifecycle and reduce the attack surface across heterogeneous device fleets.