The latest decision by the US CISA to include the Ivanti Endpoint Manager (EPM) vulnerability on its list of actively exploited vulnerabilities (KEV) is more than a routine warning. It signals that the tools used to protect infrastructure are themselves becoming the weakest link.
The vulnerability, classified as CVE-2026-1603, allows attackers to take over credentials without any user interaction. In a world where the management of a fleet of devices – from macOS laptops to IoT systems – is based on centralisation, such a bug strikes at the heart of trust in security architecture. Although Ivanti declares no knowledge of affected customers before the bug was made public, CISA’s intervention suggests that a real risk in the ecosystem is already a reality.
The key challenge is not the existence of the error itself, but the recurrence of incidents. This is yet another time in the last eighteen months that EPM solutions from Ivanti have come under forced surveillance. This sequence of incidents is forcing IT departments to move away from reactive hole patching to deeper vendor vetting. Forcing federal agencies to patch their systems within a strict three-week deadline (by 23 March) sets a new standard for the pace of work for the private sector, which often operates on a much slower update cycle.
The situation sheds light on the wider problem of resource visibility. Data from the Shadowserver platform shows hundreds of EPM instances exposed directly to the internet, mainly in North America. Every day of delay in implementing the Ivanti EPM 2024 SU5 patch is an open invitation to criminal groups specialising in identity theft.
