Ivanti has reported a new vulnerability in its Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. The vulnerability, tracked as CVE-2023-35081, allows an authenticated administrator to write arbitrary files to the EPMM server. The company's advisory states, “CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server.” It further explains that an attacker can chain this vulnerability with another, CVE-2023-35078, to bypass administrator authentication and ACLs restrictions.
The advisory continues, “Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.” At present, Ivanti is only aware of a limited number of customers impacted by both CVE-2023-35081 and CVE-2023-35078. The vulnerabilities affect supported versions 11.10, 11.9, and 11.8 of EPMM, but older versions or releases are also at risk.
This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added the actively exploited Ivanti EPMM vulnerability, CVE-2023-35078, to its Known Exploited Vulnerabilities Catalog. This vulnerability is an authentication bypass issue affecting Ivanti Endpoint Manager Mobile (EPMM) mobile device management software. An unauthorized user can exploit the flaw to gain access to restricted functionality or resources of the application without the necessary authentication.
The zero-day vulnerability, CVE-2023-35078, has been exploited by threat actors in recent attacks against the ICT platform used by twelve ministries of the Norwegian government. In response to the threat, CISA has ordered federal agencies to address this flaw by August 15, 2023.