OrganisationUS

Ivanti

US IT management vendor; authentication bypass CVE-2026-1603 in Endpoint Manager added to CISA KEV in March 2026.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Why does Ivanti keep showing up on CISA's list of exploited vulnerabilities?

Timeline for Ivanti

#117 Apr

Mentioned in: F5 reclassifies DoS bug to 9.8 RCE

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Why is Ivanti being targeted by hackers so often?: Multiple Ivanti products (Connect Secure, Endpoint Manager) contain vulnerabilities that state-linked groups, including Chinese APT actors, have exploited at scale. CISA added CVE-2026-1603, an Ivanti Endpoint Manager authentication bypass, to KEV in March 2026.Source: CISA / NCSC
Should organisations stop using Ivanti products?: CISA issued temporary disconnection advisories for specific Ivanti products during active exploitation periods, an unusual step. Whether to continue deployment depends on an organisation's risk tolerance and whether it can meet CISA's patch timelines.Source: CISA

Background

Ivanti's CVE-2026-1603, an authentication bypass vulnerability in Ivanti Endpoint Manager, was added to the CISA Known Exploited Vulnerabilities catalogue in March 2026 as actively exploited. The addition follows a pattern of multiple high-severity Ivanti CVEs appearing on KEV across 2024 and 2025, with CISA and NCSC both issuing advisories on the systematic exploitation of Ivanti Connect Secure and Endpoint Manager products by state-linked threat actors.

Ivanti is a US IT asset and service management vendor providing endpoint management, Mobile Device Management and security tools to enterprise and government customers globally. From 2024 onwards, its products became a primary target for state-linked exploitation: Chinese APT groups and Iranian threat actors both leveraged Ivanti Connect Secure CVEs in mass exploitation campaigns that reached critical infrastructure and defence-sector targets.

For Ivanti customers, the repeated appearance of Ivanti products on KEV has become a risk-management conversation about whether the vendor's secure development lifecycle is adequate for products in high-threat positions. CISA's advice has included temporary disconnection recommendations for specific Ivanti products, an unusual step that reflects the severity of the exploitation pattern.

How the World Sees Them

CISA

The frequency of Ivanti KEV additions prompted CISA to issue product-specific disconnection advisories, a measure reserved for the most severely exploited enterprise products.

Ivanti

The company has invested in its vulnerability disclosure and patching processes following CISA pressure; whether those improvements have reached the Endpoint Manager codebase is the 2026 test.

Enterprise procurement teams

Repeated state-linked exploitation of a single vendor's products raises the question of whether continued deployment is a manageable risk or a structural liability.