Critical Ivanti Authentication Bypass Bug Now Actively Exploited, Warns CISA

January 18, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has alerted about a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) and MobileIron Core device management software that is currently being actively exploited. This vulnerability, identified as CVE-2023-35082, is a remote unauthenticated API access vulnerability impacting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below. Successful exploitation of this flaw could grant attackers access to the personal identifiable information (PII) of mobile device users and potentially allow them to backdoor compromised servers when combined with other vulnerabilities.

Ivanti has released an RPM script to address this issue and advises customers to first upgrade to a supported version before applying the script. This information was released by the company in August. For more detailed information, customers are directed to a Knowledge Base article available on the Ivanti Community portal.

Cybersecurity firm Rapid7, which discovered and reported the vulnerability, has provided indicators of compromise (IOCs) to assist administrators in detecting signs of a CVE-2023-35082 attack. According to data from Shodan, around 6,300 Ivanti EPMM user portals are currently exposed online. The Shadowserver threat monitoring platform has identified 3,420 Internet-exposed EPMM appliances. Shodan's data further reveals that over 150 instances linked to global government agencies can be directly accessed via the Internet.

CISA has added the CVE-2023-35082 vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. However, there's no evidence suggesting its use in ransomware attacks. The agency has also mandated U.S. federal agencies to patch the vulnerability by February 2, in line with a binding operational directive (BOD 22-01) issued three years ago. Ivanti has not yet updated its August advisories or issued another notification warning that this security vulnerability is being exploited in the wild.

Additionally, two other Ivanti Connect Secure (ICS) zero-days, an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), are also being exploited on a large scale by multiple threat groups since January 11. The victims range from small businesses to several Fortune 500 companies across various sectors, with the attackers having already backdoored over 1,700 ICS VPN appliances using a GIFTEDVISITOR webshell variant. Several other Ivanti zero-days (i.e., CVE-2021-22893, CVE-2023-35078, CVE-2023-35081, CVE-2023-38035) have been exploited in recent years to breach numerous government, defense, and financial organizations in the United States and Europe, including several Norwegian government organizations, and in targeted attacks.

Related News

• Ivanti's Connect Secure VPN and Policy Secure NAC Appliances Face Mass Exploitation
• Chinese Cyber Actors Exploit Ivanti Connect Secure and Policy Secure Zero-Day Vulnerabilities
• Critical Remote Code Execution Vulnerability in Ivanti's Endpoint Management Software
• Ivanti Patches 13 Critical Security Flaws in Avalanche Enterprise Mobile Device Management Solution
• Critical Ivanti Sentry Bug Abused as Zero-Day: Exploit Released

Latest News

• CISA Mandates Federal Agencies to Address Citrix and Google Chrome Zero-Days Within Set Timeframes
• GitHub Takes Precautionary Measures Following Discovery of Credential-Exposing Flaw
• Citrix Issues Urgent Warning for Two Actively Exploited Zero-Day Vulnerabilities
• Google Addresses First Actively Exploited Chrome Zero-Day Vulnerability of 2024
• Androxgh0st Malware Botnet Targets AWS and Microsoft Credentials: FBI and CISA Alert