The US Cybersecurity and Infrastructure Security Agency (CISA) has included a second actively exploited vulnerability of Ivanti's Endpoint Manager Mobile (EPMM, formerly MobileIron Core) in its Known Exploited Vulnerabilities Catalog. The vulnerability, tracked as CVE-2023-35081, is being exploited in tandem with another vulnerability, CVE-2023-35078. This information was disclosed in a joint Cybersecurity Advisory (CSA) released by CISA and the Norwegian National Cyber Security Centre (NCSC-NO).
Ivanti had released a patch for CVE-2023-35078 on July 23, 2023. However, they later discovered that threat actors could exploit CVE-2023-35078 in combination with CVE-2023-35081. Consequently, a patch for the second vulnerability was released on July 28, 2023. The NCSC-NO observed the potential for these vulnerabilities to be chained together.
The exploitation of these vulnerabilities could allow an attacker to bypass administrator authentication and ACLs restrictions. As a result, malicious files could be written to the appliance, which would allow a malicious actor to execute OS commands on the appliance as the tomcat user. Currently, it appears that the same limited number of customers affected by CVE-2023-35078 are also impacted by CVE-2023-35081.
The vulnerabilities affect Ivanti Endpoint Manager Mobile (EPMM) mobile device management software and can be exploited by an unauthorized user to access restricted functionality or resources of the application without proper authentication. The zero-day vulnerability has been exploited by threat actors in recent attacks against the ICT platform used by twelve ministries of the Norwegian government.
Mobile device management (MDM) systems are appealing targets for threat actors as compromising them can provide elevated access to thousands of mobile devices. CISA and NCSC-NO have issued warnings about the potential for widespread exploitation of Ivanti vulnerabilities in government and private sector networks.
In accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies are required to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. It is also recommended that private organizations review the Catalog and address the vulnerabilities in their infrastructure. Federal agencies have been instructed by CISA to fix this flaw by August 21, 2023.