Ivanti

Ivanti's CVE-2026-1603, an authentication bypass vulnerability in Ivanti Endpoint Manager, was added to the CISA Known Exploited Vulnerabilities catalogue in March 2026 as actively exploited. The addition follows a pattern of multiple high-severity Ivanti CVEs appearing on KEV across 2024 and 2025, with CISA and NCSC both issuing advisories on the systematic exploitation of Ivanti Connect Secure and Endpoint Manager products by state-linked threat actors.

Ivanti is a US IT asset and service management vendor providing endpoint management, Mobile Device Management and security tools to enterprise and government customers globally. From 2024 onwards, its products became a primary target for state-linked exploitation: Chinese APT groups and Iranian threat actors both leveraged Ivanti Connect Secure CVEs in mass exploitation campaigns that reached critical infrastructure and defence-sector targets.

For Ivanti customers, the repeated appearance of Ivanti products on KEV has become a risk-management conversation about whether the vendor's secure development lifecycle is adequate for products in high-threat positions. CISA's advice has included temporary disconnection recommendations for specific Ivanti products, an unusual step that reflects the severity of the exploitation pattern.

In May 2026, CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM) — the fourth Ivanti MDM zero-day to reach KEV since 2023 — was added with a 10 May federal deadline. The flaw allows a remotely authenticated administrator to achieve RCE (CVSS 7.2). Ivanti confirmed limited exploitation and noted reduced risk for customers who rotated credentials after January 2026 zero-days. The four-KEV milestone since 2023 for a single product line places Ivanti in a distinct risk category for government and regulated-sector customers who must track KEV compliance.