The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical flaw in Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core, adding it to the Known Exploited Vulnerabilities catalog.
CVE-2023-35081: Disclosure and Overview
The vulnerability, identified as CVE-2023-35082 with a CVSS score of 9.8, allows an authentication bypass, potentially granting unauthorized remote access to users’ personally identifiable information and limited server modifications. Ivanti issued a warning in August 2023, saying that all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8, as well as MobileIron Core 11.7 and below were affected.
Discovered and reported by cybersecurity firm Rapid7, the flaw can be chained with CVE-2023-35081 to facilitate the writing of malicious web shell files to the appliance. The exact details of real-world attacks leveraging this vulnerability are currently unknown. Federal agencies are urged to implement vendor-provided fixes by February 8, 2024.
This disclosure coincides with the exploitation of two zero-day flaws in Ivanti Connect Secure (ICS) VPN devices (CVE-2023-46805 and CVE-2024-21887), leading to the deployment of web shells and passive backdoors. Ivanti is set to release updates next week to address these issues. Notably, threat actors targeting ICS VPN devices have focused on compromising configurations and running caches containing vital operational secrets. Ivanti recommends rotating these secrets after system rebuilds.
Volexity reported evidence of compromise in over 1,700 devices globally, initially linked to the suspected Chinese threat actor UTA0178. However, more threat actors have since joined the exploitation efforts. Assetnote’s reverse engineering efforts uncovered another endpoint (“/api/v1/totp/user-backup-code”) for abusing the authentication bypass flaw (CVE-2023-46805) on older ICS versions, potentially obtaining a reverse shell.
Security researchers Shubham Shah and Dylan Pindur emphasized the incident as “another example of a secure VPN device exposing itself to wide-scale exploitation due to relatively simple security mistakes.”
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: