A previously patched critical vulnerability (CVE-2023-35082) affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core is being actively exploited, the Cybersecurity and Infrastructure Security Agency (CISA) has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV).
It is not known whether the vulnerability is being exploited by ransomware groups, and CISA does not publish specific information about attacks in which the vulnerabilities in the KEV catalog are exploited.
But it does seem that at least in this case, the inclusion comes rather late: Ivanti’s Knowledge Base entry for CVE-2023-35082 – which has apparently last been updated on August 22, 2023 – states in the FAQ section that “Ivanti has been informed of exploitation by a few customers who have been exploited since the details were made publicly available by Rapid7.”
Ivanti’s security advisory for CVE-2023-35082 still doesn’t mention active exploitation, though it has a link to the aforementioned Knowledge Base article (the link has been added as part of an update of the advisory made on August 21, 2023).
CVE-2023-35082 has been fixed
CVE-2023-35082 is a remote unauthenticated API access vulnerability that can be exploited by unauthorized, remote (internet-facing) threat actors to obtain users’ personally identifiable information (PII) and make alterations to the server.
The flaw was discovered and reported by Rapid7 in early August, 2023, and they consider it to be a patch bypass for CVE-2023-35078, another authentication bypass vulnerability in Ivanti EPMM.
CVE-2023-35082 was initially believed to affect only MobileIron Core versions 11.2 and prior, but Ivanti soon confirmed that it affects all versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below. “The risk of exploitation depends on the individual customer’s configurations,” the company noted.
Ivanti first provided an RPM script for versions 11.10 to 11.3 as a temporary mitigation, and later included a fix in EPMM v11.11.
Customers who haven’t yet upgraded to v11.11 (or later) should do so quickly. They should also search for indicators of compromise provided by Rapid7, to check whether they’ve been breached through this vulnerability.
Other Ivanti offerings under attack
Ivanti has recently disclosed two zero-days affecting its Connect Secure VPN devices that are also being exploited by attackers.
CVE-2023-46805, an authentication bypass vulnerability, and CVE-2024-21887, a command injection vulnerability, are under mass exploitation and, in some cases, the attackers are delivering crypto-miners.