Ivanti Releases Critical Security Update for Endpoint Manager, Fixing Authentication Bypass and SQL Injection Vulnerabilities + Video

Listen to this Post

Featured Image

Introduction: A Wake-Up Call for Enterprise Endpoint Security

Ivanti has issued a significant security update for its Endpoint Manager platform, addressing more than a dozen vulnerabilities, including a high-severity authentication bypass flaw that could allow remote attackers to access sensitive credential data without logging in. The patch cycle highlights the ongoing pressure on enterprise software vendors to secure endpoint management systems, which sit at the heart of corporate IT infrastructure. With threat actors increasingly targeting administrative tools to escalate privileges and exfiltrate data, this update underscores both the risks and the urgency surrounding enterprise patch management.

Ivanti Endpoint Manager Vulnerabilities and Security Patches

Ivanti has released updates for its Endpoint Manager (EPM) product to resolve over a dozen security vulnerabilities, including flaws that were publicly disclosed in October 2025. Among the most critical issues addressed is CVE-2026-1603, a high-severity authentication bypass vulnerability with a CVSS score of 8.6. This flaw affects versions of Ivanti Endpoint Manager prior to 2024 SU5 and allows a remote, unauthenticated attacker to access and leak specific stored credential data. Because no login credentials are required to exploit the issue, the risk level is significantly elevated, especially in exposed or poorly segmented environments.

The official advisory explains that the authentication bypass permits remote attackers to extract certain stored login information from affected systems. In enterprise networks where Endpoint Manager is used to administer thousands of devices, the compromise of credential data could enable further lateral movement, privilege escalation, and broader network intrusion.

Ivanti also addressed CVE-2026-1602, a medium-severity SQL injection vulnerability with a CVSS score of 6.5. This flaw impacts the same product versions prior to 2024 SU5. Unlike the authentication bypass, exploitation of this SQL injection requires authentication. However, once authenticated, a remote attacker could read arbitrary data directly from the backend database. Access to sensitive configuration data or stored records could assist attackers in reconnaissance and privilege expansion efforts.

Both vulnerabilities were reported to Ivanti by Trend Micro’s Zero Day Initiative (ZDI) in November 2024. According to the disclosure timeline, the flaws remained under coordinated remediation before being publicly documented. The vulnerabilities could potentially be chained by threat actors to escalate privileges and execute arbitrary code remotely, increasing their operational impact.

Ivanti has stated that it is not aware of any active exploitation of these specific vulnerabilities in the wild prior to their public disclosure. Nonetheless, given the history of endpoint management platforms being targeted by sophisticated attackers, organizations are strongly encouraged to apply the 2024 SU5 update without delay.

In addition to these recently addressed issues, Ivanti had previously fixed another serious vulnerability in December. That flaw, tracked as CVE-2025-10573 and assigned a CVSS score of 9.6, was identified as a Stored Cross-Site Scripting (XSS) vulnerability. It affected Ivanti Endpoint Manager versions prior to 2024 SU4 SR1.

The Stored XSS issue allowed a remote, unauthenticated attacker to inject arbitrary JavaScript into the application. Although user interaction was required for exploitation, the malicious script would execute in the context of an administrator session. This significantly increases the severity, as attackers could hijack administrative sessions, manipulate system configurations, or extract sensitive management data.

By releasing cumulative updates across multiple service updates, Ivanti has aimed to close these security gaps in Endpoint Manager, reinforcing its core administrative tool against authentication bypass, SQL injection, and cross-site scripting threats. Organizations running affected versions must upgrade to at least 2024 SU5 to mitigate the authentication bypass and SQL injection flaws, and to 2024 SU4 SR1 or later to remediate the Stored XSS issue.

Enterprise Risk Implications of Authentication Bypass Flaws

Authentication bypass vulnerabilities remain among the most dangerous classes of enterprise software flaws. When an attacker can circumvent login mechanisms entirely, traditional perimeter defenses and credential hygiene practices become ineffective. In the case of CVE-2026-1603, the fact that no authentication is required raises the threat level dramatically. Such vulnerabilities often become priority targets for automated scanning tools and botnets once public disclosure occurs.

For organizations that expose Endpoint Manager interfaces to internal or external networks without strict segmentation, the risk extends beyond simple data leakage. Extracted credential data could serve as a pivot point into other internal systems, potentially compromising entire enterprise ecosystems.

Database Exposure Through SQL Injection in Endpoint Management Systems

The SQL injection vulnerability, CVE-2026-1602, although rated medium severity, should not be underestimated. SQL injection flaws allow attackers to manipulate database queries and extract information beyond intended boundaries. In enterprise endpoint management platforms, backend databases often store device inventories, user associations, patch configurations, and sometimes encrypted credential information.

Even when exploitation requires authentication, compromised low-privilege accounts could be leveraged to extract high-value information. Attackers frequently chain authenticated SQL injection with other weaknesses to escalate privileges or deploy malicious payloads. In security architecture, the presence of SQL injection signals potential weaknesses in input validation and secure coding practices.

Stored XSS and Administrative Session Hijacking Risks

The previously disclosed CVE-2025-10573 vulnerability, a Stored XSS issue, presents a different but equally concerning risk. Stored XSS attacks embed malicious scripts within the application’s persistent storage, meaning every time an administrator accesses the affected page, the malicious code executes automatically.

Although user interaction is required, the execution context of an administrator session significantly amplifies impact. Attackers could manipulate configurations, create unauthorized accounts, or redirect management traffic. In tightly managed enterprise environments, such control could enable long-term persistence and stealthy compromise.

What Undercode Say:

The Ivanti Endpoint Manager vulnerabilities reveal a broader pattern within enterprise IT security. Endpoint management systems are designed to centralize control, streamline updates, and enforce security policies across thousands of devices. That same centralization makes them exceptionally attractive targets.

When an authentication bypass exists in such a platform, it does not simply expose a single application. It potentially unlocks the operational command center of an entire organization. Attackers do not need to breach every workstation individually. They only need to compromise the system that manages them all.

The CVSS score of 8.6 for CVE-2026-1603 reflects more than technical severity. It reflects systemic risk. Credential leakage in a management platform can facilitate privilege escalation, lateral movement, and deployment of ransomware at scale. In recent years, multiple high-profile breaches have originated from exploited management tools rather than frontline endpoints.

The SQL injection flaw suggests that secure development lifecycle practices must be continuously reinforced. Input validation and parameterized queries are long-established defensive measures. Yet these vulnerabilities persist in modern enterprise products. This signals either legacy code exposure or insufficient code auditing depth.

The Stored XSS vulnerability further illustrates that even user-interface components in enterprise software can become gateways to administrative compromise. Many organizations underestimate XSS because it is often associated with consumer web applications. In management consoles, however, XSS can lead directly to session hijacking of privileged users.

Ivanti’s statement that there is no known exploitation before disclosure provides some reassurance. But history shows that once vulnerabilities are publicly detailed, exploitation attempts frequently follow within days. Attackers monitor patch advisories as closely as defenders.

The timeline also deserves attention. Vulnerabilities reported in November 2024 and disclosed later demonstrate the complexity of coordinated vulnerability disclosure processes. Enterprises relying on such platforms must maintain a disciplined patch cadence aligned with vendor advisories.

From a defensive standpoint, patching alone is not enough. Organizations should evaluate network segmentation, restrict administrative console exposure, enforce multi-factor authentication, and monitor for anomalous administrative behavior. Endpoint Manager systems should never be treated as ordinary internal tools. They should be hardened like domain controllers.

The broader lesson is architectural. Centralized control delivers efficiency, but it also concentrates risk. Security teams must treat management platforms as high-value assets requiring enhanced monitoring, logging, and access controls.

In the current threat landscape, where ransomware groups and advanced persistent threat actors actively target enterprise management software, delayed patching can be catastrophic. The Ivanti updates serve as a reminder that vulnerability management is not routine maintenance. It is a frontline defense mechanism.

Fact Checker Results

✅ CVE-2026-1603 is a high-severity authentication bypass with a CVSS score of 8.6 affecting Ivanti Endpoint Manager before 2024 SU5.
✅ CVE-2026-1602 is a medium-severity SQL injection vulnerability requiring authentication and fixed in 2024 SU5.
✅ CVE-2025-10573 is a Stored XSS flaw affecting versions prior to 2024 SU4 SR1 with a CVSS score of 9.6.

Prediction

📊 Increased scanning and proof-of-concept exploits are likely to emerge shortly after disclosure as attackers test exposed Endpoint Manager instances.
📊 Enterprises that delay upgrading to 2024 SU5 may face targeted exploitation attempts focused on credential extraction and privilege escalation.
📊 Endpoint management platforms will continue to be high-priority targets for threat actors seeking scalable network compromise opportunities.

▶️ Related Video (78% Match):

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon