Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN154
_____________________________________________________________________

DATE                : 11/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ivanti Endpoint Manager versions
                                prior to 2024 SU5.

=====================================================================
https://forums.ivanti.com/s/article/Security-Advisory-EPM-February-2026-for-EPM-2024
_____________________________________________________________________

Security Advisory EPM February 2026 for EPM 2024

Primary Product
Endpoint Manager

Created Date
9-Feb-2026 20.55.19

Last Modified Date
10-Feb-2026 14.59.26


Summary 

Ivanti has released updates for Ivanti Endpoint Manager which 
addresses one high severity vulnerability and one medium severity 
vulnerability. Successful exploitation could allow a remote 
authenticated attacker to leak arbitrary data or compromise user 
sessions. 

Additionally, 11 medium severity vulnerabilities previously disclosed 
in October 2025 have been resolved with this update. 

We are not aware of any customers being exploited by these 
vulnerabilities at the time of disclosure. 


Vulnerability Details: 

CVE Number   Description   CVSS Score (Severity)   CVSS Vector  CWE 

CVE-2026-1602 
SQL injection in Ivanti Endpoint Manager before version 2024 SU5 
allows a remote authenticated attacker to read arbitrary data from the 
database. 
6.5 (Medium) 
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2026-1603 
An authentication bypass in Ivanti Endpoint Manager before version 
2024 SU5 allows a remote unauthenticated attacker to leak specific 
stored credential data. 
8.6(High) 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N 
CWE-288 


Affected Versions 

Product Name          Affected Version(s)      Resolved Version(s) 
Patch Availability 

Ivanti Endpoint Manager (EPM)   2024 SU4 SR1 and prior   2024 SU5 
Download Available in ILS 


Solution 

Customers can resolve these vulnerabilities by updating to Ivanti EPM 
2024 SU5, available in ILS. 


Acknowledgements 

Ivanti would like to thank the following for reporting the relevant 
issues and for working with Ivanti to help protect our customers: 

    06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Zero 
Day  

Note: Ivanti is dedicated to ensuring the security and integrity of 
our enterprise software products. We recognize the vital role that 
security researchers, ethical hackers, and the broader security 
community play in identifying and reporting vulnerabilities. Visit 
HERE to learn more about our Vulnerability Disclosure Policy. 


FAQ 

    Are you aware of any active exploitation of these vulnerabilities? 

We are not aware of any customers being exploited by these 
vulnerabilities prior to public disclosure. These vulnerabilities were 
disclosed through our responsible disclosure program.   

    How can I tell if I have been compromised? 
    Currently, there is no known public exploitation of these 
vulnerabilities that could be used to provide a list of indicators 
of compromise. 

    What should I do if I need help?  

If you have questions after reviewing this information, you can log a 
case and/or request a call via the Ivanti Innovators Hub. 

 
Article Number :
000104842

Article Promotion Level
Normal
 
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================