89/69 Friday, February 13, 2026
Ivanti has released security updates to address more than ten vulnerabilities in its Endpoint Manager (EPM) product, including a critical flaw that could allow threat actors to access sensitive data without authentication. The vulnerability, tracked as CVE-2026-1603 with a CVSS score of 8.6, is an authentication bypass issue affecting Ivanti Endpoint Manager versions prior to 2024 SU5. If exploited, attackers could remotely access and steal credentials stored within the system.
The company also remediated a medium-severity vulnerability, CVE-2026-1602 (CVSS 6.5), which involves an SQL injection flaw. This issue could enable authenticated attackers to read arbitrary data from the database. Both vulnerabilities were reported by Trend Micro’s Zero Day Initiative (ZDI) in November 2024 and carry the potential risk of being leveraged for privilege escalation or remote code execution. Ivanti stated that there is currently no evidence indicating these vulnerabilities were exploited prior to public disclosure, and that the EPM 2024 SU5 update resolves the issues.
Previously, Ivanti addressed another significant vulnerability, CVE-2025-10573 (CVSS 9.6), a Stored Cross-Site Scripting (Stored XSS) flaw impacting Endpoint Manager versions earlier than 2024 SU4 SR1. This vulnerability could allow unauthenticated attackers to execute JavaScript within the context of an administrator’s session, although user interaction would be required. Organizations using Ivanti Endpoint Manager are strongly advised to update to the latest version to reduce the risk of cyberattacks.