Detect Ivanti Endpoint Manager (EPM) Authentication Bypass (CVE-2026-1603) in Microsoft Sentinel
CVE-2026-1603 is an authentication bypass vulnerability (CWE-288) in Ivanti Endpoint Manager (EPM). This KEV-listed vulnerability allows unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to the EPM management interface. Successful exploitation may lead to full compromise of managed endpoints, lateral movement, and deployment of malicious software across the enterprise.
MITRE ATT&CK
KQL Detection Query
let EPMHosts = DeviceNetworkInfo
| where isnotempty(MacAddress)
| extend HostName = DeviceName
| project DeviceId, HostName;
DeviceNetworkEvents
| where RemotePort in (9675, 9676, 443, 80)
| where InitiatingProcessFileName in~ ("LANDesk.ManagementSuite.exe", "LDDiscovery.exe", "EPMAgent.exe", "cba8.exe")
or RemoteUrl has_any ("landesk", "ivanti", "epm", "ldms")
| join kind=leftouter EPMHosts on DeviceId
| union (
DeviceLogonEvents
| where LogonType in ("Network", "RemoteInteractive")
| where AccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| where InitiatingProcessFileName has_any ("LANDesk", "ivanti", "EPM")
| where ActionType == "LogonSuccess"
| where isempty(LogonResult) or LogonResult == "Success"
)
| union (
SecurityEvent
| where EventID in (4624, 4625, 4648)
| where ProcessName has_any ("landesk", "ivanti", "epm", "ldms", "LANDesk.ManagementSuite")
| where LogonType == 3
)
| union (
AuditLogs
| where OperationName has_any ("Logon", "Authentication", "Token")
| where ResultReason has_any ("bypass", "unauthenticated", "anonymous")
)
| extend SuspiciousAuthentication = case(
AccountName == "" or AccountName == "anonymous", "EmptyOrAnonymousAccount",
isempty(AccountDomain) and LogonType == "Network", "MissingDomainNetworkLogon",
"NominalAuthentication"
)
| where SuspiciousAuthentication != "NominalAuthentication"
| project TimeGenerated, DeviceName, AccountName, AccountDomain, RemoteIP, RemotePort, SuspiciousAuthentication, InitiatingProcessFileName
| order by TimeGenerated descDetects potential exploitation of CVE-2026-1603 by identifying anomalous authentication patterns against Ivanti EPM services, including unauthenticated or anonymous network logons to EPM-related processes and suspicious authentication bypass indicators.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate EPM service accounts performing network authentication during scheduled tasks or patch cycles
- Monitoring or vulnerability scanning tools probing EPM ports during authorized assessments
- EPM agent re-enrollment or re-registration workflows that generate anonymous initial connection attempts
- Load balancer or reverse proxy health checks against EPM endpoints
Other platforms for CVE-2026-1603
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Anonymous Network Logon to EPM Port
Expected signal: Windows Security EventID 4624 with LogonType=3 and AccountName blank or 'ANONYMOUS LOGON' on the EPM server; IIS access log entry with 401/200 status for /ldlogon/ from test source IP; network flow record on EPM management port 9675.
- Test 2EPM Process Spawning Suspicious Child Process
Expected signal: DeviceProcessEvents entry showing cmd.exe spawned with working directory in Ivanti Management Suite path; process creation event with parent process in EPM directory; command line containing 'whoami' captured in endpoint telemetry.
- Test 3Authentication Bypass Simulation via Empty Credential HTTP Request
Expected signal: IIS access log entry on EPM server showing request to /ldlogon/ with empty Authorization header from test IP; network flow record; if EPM processes the request, a Windows Security EventID 4624 or 4648 with minimal credential context.
Unlock Pro Content
Get the full detection package for CVE-2026-1603 including response playbook, investigation guide, and atomic red team tests.