"Ivanti on Tuesday announced patches for over a dozen vulnerabilities in Endpoint Manager (EPM), including issues that were first disclosed in October 2025. In a new advisory, the company warns of a high-severity bug and a medium-severity flaw resolved in EPM, both of which could be exploited remotely. Tracked as CVE-2026-1603, the high-severity weakness is described as an authentication bypass leading to the exposure of credential data."
"The medium-severity flaw, tracked as CVE-2026-1602, is an SQL injection security defect that could allow authenticated attackers to read arbitrary data from the database. Both issues were resolved in EPM 2024 SU5, which also includes fixes for 11 medium-severity vulnerabilities that Ivanti warned about in October. The issues were reported to Ivanti in November 2024 and were publicly disclosed by Trend Micro's Zero Day Initiative (ZDI) as '0day', although they were not technically zero-days."
Ivanti released EPM 2024 SU5 to address a high-severity authentication bypass (CVE-2026-1603) that exposes credential data and a medium-severity SQL injection (CVE-2026-1602) that could let authenticated attackers read arbitrary database data. The update also remedies 11 medium-severity flaws disclosed in October and follows November 2025 fixes for two high-severity bugs. The issues were reported in November 2024 and publicly disclosed by Trend Micro's Zero Day Initiative as '0day', though not technically zero-days. Successful exploitation could enable privilege escalation and remote code execution. Users of EPM 2022 should migrate because it has reached End of Life.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]