CVE-2026-1603 Elastic Security · Elastic

Detect Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) in Elastic Security

CVE-2026-1603 is an authentication bypass vulnerability (CWE-288) in Ivanti Endpoint Manager (EPM). This KEV-listed vulnerability allows unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to the EPM management interface. Successful exploitation may lead to full compromise of managed endpoints, lateral movement, and deployment of malicious software across the enterprise.

MITRE ATT&CK

Tactic
Initial Access Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [network where process.name like~ "*landesk*" or process.name like~ "*ivanti*" or process.name like~ "*epm*" or process.name like~ "*cba8*"
    and destination.port in (9675, 9676, 443, 80)
  ]
  [authentication where
    (user.name == "" or user.name like~ "*anonymous*" or user.name like~ "*guest*")
    and event.outcome == "success"
    and network.type == "ipv4"
  ]
| head 200
critical severity medium confidence

EQL sequence rule correlating Ivanti EPM network connections immediately followed by anomalous authentication successes with empty, anonymous, or guest account names, indicating potential authentication bypass exploitation.

Data Sources

Elastic EndpointWindows Event Logs via WinlogbeatNetwork packet capture

Required Tables

logs-endpoint.events.network-*logs-endpoint.events.authentication-*winlogbeat-*

False Positives & Tuning

  • EPM service accounts with minimal display names that resemble anonymous accounts
  • Lab or staging environments where guest authentication is permitted for testing
  • Automated monitoring agents that authenticate to EPM with service credentials appearing anonymous
  • Network proxies or gateways that strip user context when forwarding requests to EPM

Other platforms for CVE-2026-1603

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Anonymous Network Logon to EPM Port

    Expected signal: Windows Security EventID 4624 with LogonType=3 and AccountName blank or 'ANONYMOUS LOGON' on the EPM server; IIS access log entry with 401/200 status for /ldlogon/ from test source IP; network flow record on EPM management port 9675.

  2. Test 2EPM Process Spawning Suspicious Child Process

    Expected signal: DeviceProcessEvents entry showing cmd.exe spawned with working directory in Ivanti Management Suite path; process creation event with parent process in EPM directory; command line containing 'whoami' captured in endpoint telemetry.

  3. Test 3Authentication Bypass Simulation via Empty Credential HTTP Request

    Expected signal: IIS access log entry on EPM server showing request to /ldlogon/ with empty Authorization header from test IP; network flow record; if EPM processes the request, a Windows Security EventID 4624 or 4648 with minimal credential context.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-1603 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1210Exploitation of Remote ServicesT1072Software Deployment Tools

Same Tactic: Initial Access

Popular Detections