Which SIEM platforms have a CVE-2026-1603 detection rule?

df00tech provides CVE-2026-1603 (Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) (CVE-2026-1603)?

Detecting Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) requires the following data sources: DeviceNetworkEvents, DeviceLogonEvents, SecurityEvent, AuditLogs.

What severity and confidence is the CVE-2026-1603 detection?

The CVE-2026-1603 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-1603?

Common false positives for CVE-2026-1603 include: Legitimate EPM service accounts performing network authentication during scheduled tasks or patch cycles; Monitoring or vulnerability scanning tools probing EPM ports during authorized assessments; EPM agent re-enrollment or re-registration workflows that generate anonymous initial connection attempts.

CVE-2026-1603

Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603)

Initial Access Persistence Lateral Movement Last updated: June 19, 2026

CVE-2026-1603 is an authentication bypass vulnerability (CWE-288) in Ivanti Endpoint Manager (EPM). This KEV-listed vulnerability allows unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to the EPM management interface. Successful exploitation may lead to full compromise of managed endpoints, lateral movement, and deployment of malicious software across the enterprise.

Vulnerability Intelligence

KEV — Known Exploited

CVE

CVE-2026-1603↗ NVD

Affected Software

Vendor: Ivanti
Product: Endpoint Manager (EPM)

Weakness (CWE)

CWE-288

Timeline

Disclosed: March 9, 2026

References & Proof of Concept

CVSS

Unscored

Write-up coming soon

What is CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603)?

Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) (CVE-2026-1603) maps to the Initial Access and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603), covering the data sources and telemetry it touches: DeviceNetworkEvents, DeviceLogonEvents, SecurityEvent, AuditLogs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Initial Access Persistence Lateral Movement

Microsoft Sentinel / Defender

kusto

let EPMHosts = DeviceNetworkInfo
| where isnotempty(MacAddress)
| extend HostName = DeviceName
| project DeviceId, HostName;
DeviceNetworkEvents
| where RemotePort in (9675, 9676, 443, 80)
| where InitiatingProcessFileName in~ ("LANDesk.ManagementSuite.exe", "LDDiscovery.exe", "EPMAgent.exe", "cba8.exe")
    or RemoteUrl has_any ("landesk", "ivanti", "epm", "ldms")
| join kind=leftouter EPMHosts on DeviceId
| union (
    DeviceLogonEvents
    | where LogonType in ("Network", "RemoteInteractive")
    | where AccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
    | where InitiatingProcessFileName has_any ("LANDesk", "ivanti", "EPM")
    | where ActionType == "LogonSuccess"
    | where isempty(LogonResult) or LogonResult == "Success"
)
| union (
    SecurityEvent
    | where EventID in (4624, 4625, 4648)
    | where ProcessName has_any ("landesk", "ivanti", "epm", "ldms", "LANDesk.ManagementSuite")
    | where LogonType == 3
)
| union (
    AuditLogs
    | where OperationName has_any ("Logon", "Authentication", "Token")
    | where ResultReason has_any ("bypass", "unauthenticated", "anonymous")
)
| extend SuspiciousAuthentication = case(
    AccountName == "" or AccountName == "anonymous", "EmptyOrAnonymousAccount",
    isempty(AccountDomain) and LogonType == "Network", "MissingDomainNetworkLogon",
    "NominalAuthentication"
)
| where SuspiciousAuthentication != "NominalAuthentication"
| project TimeGenerated, DeviceName, AccountName, AccountDomain, RemoteIP, RemotePort, SuspiciousAuthentication, InitiatingProcessFileName
| order by TimeGenerated desc

Detects potential exploitation of CVE-2026-1603 by identifying anomalous authentication patterns against Ivanti EPM services, including unauthenticated or anonymous network logons to EPM-related processes and suspicious authentication bypass indicators.

critical severity medium confidence

Data Sources

DeviceNetworkEvents DeviceLogonEvents SecurityEvent AuditLogs

Required Tables

DeviceNetworkEvents DeviceLogonEvents SecurityEvent AuditLogs DeviceNetworkInfo

False Positives

Legitimate EPM service accounts performing network authentication during scheduled tasks or patch cycles
Monitoring or vulnerability scanning tools probing EPM ports during authorized assessments
EPM agent re-enrollment or re-registration workflows that generate anonymous initial connection attempts
Load balancer or reverse proxy health checks against EPM endpoints

Splunk

spl

index=windows OR index=network sourcetype IN ("WinEventLog:Security", "XmlWinEventLog:Security", "stream:tcp", "ivanti:epm")
| eval is_epm_process=if(match(lower(process_name), "landesk|ivanti|epmag|cba8|ldiscov"), 1, 0)
| eval is_epm_port=if(dest_port IN ("9675", "9676", "443", "80") AND is_epm_process=1, 1, 0)
| eval bypass_indicator=case(
    EventCode IN ("4624", "4648") AND LogonType="3" AND Account_Name="" , "empty_account_network_logon",
    EventCode="4624" AND LogonType="3" AND match(lower(Account_Name), "anonymous|guest"), "anonymous_logon",
    EventCode="4625" AND match(lower(Failure_Reason), "bypass|token|unauthenticated"), "auth_bypass_failure",
    EventCode="4648" AND is_epm_process=1 AND match(lower(Account_Name), "anonymous|guest|null"), "explicit_credential_bypass",
    true(), "nominal"
  )
| where bypass_indicator!="nominal"
| eval src_ip=coalesce(src_ip, IpAddress, SourceAddress)
| eval dest_ip=coalesce(dest_ip, DestAddress)
| stats count AS event_count, values(bypass_indicator) AS bypass_indicators, earliest(_time) AS first_seen, latest(_time) AS last_seen BY src_ip, dest_ip, Account_Name, process_name, host
| where event_count >= 1
| eval risk_score=case(
    match(bypass_indicators, "empty_account|anonymous"), 90,
    match(bypass_indicators, "auth_bypass_failure"), 75,
    true(), 60
  )
| sort - risk_score
| table first_seen, last_seen, host, src_ip, dest_ip, Account_Name, process_name, bypass_indicators, event_count, risk_score

Detects authentication bypass indicators against Ivanti EPM by correlating Windows Security events and network flows for anomalous logon patterns including anonymous, empty, or bypass-flagged authentication to EPM-related processes.

critical severity medium confidence

Data Sources

Windows Security Event Log Network stream logs Ivanti EPM logs

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Security stream:tcp ivanti:epm

False Positives

Authorized EPM service account logons during maintenance windows or patch deployment cycles
Security scanner or vulnerability assessment tools targeting EPM endpoints during authorized engagements
Guest or anonymous accounts used in test or lab environments connected to production EPM
EPM agent initial provisioning workflows that use temporary anonymous credentials

Sumo Logic CSE

sql

_sourceCategory=windows/security OR _sourceCategory=ivanti/epm OR _sourceCategory=network/flows
| parse "EventID=*" as event_id nodrop
| parse "LogonType=*" as logon_type nodrop
| parse "AccountName=*" as account_name nodrop
| parse "FailureReason=*" as failure_reason nodrop
| parse "ProcessName=*" as process_name nodrop
| parse "SourceAddress=*" as src_ip nodrop
| parse "DestPort=*" as dest_port nodrop
| where (
    (event_id in ("4624", "4648") and logon_type = "3"
      and (isNull(account_name) or account_name = "" or toLowerCase(account_name) in ("anonymous logon", "guest", "anonymous")))
    or
    (event_id = "4625" and toLowerCase(failure_reason) matches "*bypass*")
    or
    (toLowerCase(_sourceCategory) matches "*ivanti*" and toLowerCase(failure_reason) matches "*unauthenticated*")
  )
| where (
    toLowerCase(process_name) matches "*landesk*"
    or toLowerCase(process_name) matches "*ivanti*"
    or toLowerCase(process_name) matches "*epm*"
    or dest_port in ("9675", "9676")
  )
| eval risk = if(account_name = "" or toLowerCase(account_name) = "anonymous logon", "HIGH", "MEDIUM")
| count by src_ip, account_name, process_name, event_id, risk
| sort by _count desc

Sumo Logic query detecting authentication bypass attempts against Ivanti EPM by correlating Windows Security events and Ivanti-specific log sources for anonymous or empty-credential logon successes to EPM processes and ports.

critical severity medium confidence

Data Sources

Windows Security Event Log Ivanti EPM logs Network flow logs

Required Tables

windows/security ivanti/epm network/flows

False Positives

EPM management service accounts operating under minimal credential contexts during routine operations
Authorized vulnerability scanning tools exercising EPM authentication endpoints
Lab environments with permissive authentication policies connected through shared Sumo Logic sources
Log parsing gaps where account name fields are empty due to log format version differences

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "UserLogon", "UserLogonFailed")
| $falcon.metadata.eventType = "NetworkConnectIP4" OR $falcon.metadata.eventType = "UserLogon"

NetworkConnectIP4
| RemotePort IN (9675, 9676)
  OR (ImageFileName IMATCH "landesk|ivanti|epm|cba8|lddiscovery")
| rename RemoteAddressIP4 AS target_ip, LocalAddressIP4 AS src_ip
| join type=inner [
    UserLogon
    | UserName = "" OR UserName IMATCH "anonymous|guest"
    | AuthenticationPackage != "Kerberos"
    | LogonType IN (3, 10)
    | fields ComputerName, UserName, UserSid, RemoteAddressIP4, LogonType, AuthenticationPackage
  ] on ComputerName
| eval bypass_type = case(
    UserName = "", "empty_username_logon",
    UserName IMATCH "anonymous", "anonymous_logon",
    UserName IMATCH "guest", "guest_logon",
    true(), "other_suspicious"
  )
| stats count() AS event_count, values(bypass_type) AS bypass_types, min(timestamp) AS first_seen, max(timestamp) AS last_seen
    BY ComputerName, src_ip, target_ip, UserName, ImageFileName
| where event_count >= 1
| sort - event_count

CrowdStrike Falcon LogScale (CQL) query correlating network connections to Ivanti EPM ports and processes with anomalous user logon events featuring empty, anonymous, or guest usernames, indicating potential CVE-2026-1603 authentication bypass exploitation.

critical severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Telemetry CrowdStrike Network Detection

Required Tables

NetworkConnectIP4 UserLogon UserLogonFailed

False Positives

CrowdStrike sensor telemetry gaps where username fields are not populated during certain logon types
Authorized EPM agents or service accounts using non-Kerberos authentication methods in legacy environments
Vulnerability scanning or penetration testing tools exercising EPM authentication endpoints with authorized credentials
EPM agent provisioning workflows that temporarily authenticate with reduced or empty credentials during initial enrollment

Sigma rule & cross-platform mapping

The detection logic for Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) (CVE-2026-1603) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-1603 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-1603

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-19 Research depth: standard

References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate Anonymous Network Logon to EPM Port
Expected signal: Windows Security EventID 4624 with LogonType=3 and AccountName blank or 'ANONYMOUS LOGON' on the EPM server; IIS access log entry with 401/200 status for /ldlogon/ from test source IP; network flow record on EPM management port 9675.
Test 2EPM Process Spawning Suspicious Child Process
Expected signal: DeviceProcessEvents entry showing cmd.exe spawned with working directory in Ivanti Management Suite path; process creation event with parent process in EPM directory; command line containing 'whoami' captured in endpoint telemetry.
Test 3Authentication Bypass Simulation via Empty Credential HTTP Request
Expected signal: IIS access log entry on EPM server showing request to /ldlogon/ with empty Authorization header from test IP; network flow record; if EPM processes the request, a Windows Security EventID 4624 or 4648 with minimal credential context.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-1603 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0003Persistence TA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing Application T1078Valid Accounts T1210Exploitation of Remote Services T1072Software Deployment Tools

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-1603 Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-1603

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox