Critical Ivanti Authentication Bypass Bug Now Actively Exploited, Warns CISA

January 18, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has alerted about a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) and MobileIron Core device management software that is currently being actively exploited. This vulnerability, identified as CVE-2023-35082, is a remote unauthenticated API access vulnerability impacting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below. Successful exploitation of this flaw could grant attackers access to the personal identifiable information (PII) of mobile device users and potentially allow them to backdoor compromised servers when combined with other vulnerabilities.

Ivanti has released an RPM script to address this issue and advises customers to first upgrade to a supported version before applying the script. This information was released by the company in August. For more detailed information, customers are directed to a Knowledge Base article available on the Ivanti Community portal.

Cybersecurity firm Rapid7, which discovered and reported the vulnerability, has provided indicators of compromise (IOCs) to assist administrators in detecting signs of a CVE-2023-35082 attack. According to data from Shodan, around 6,300 Ivanti EPMM user portals are currently exposed online. The Shadowserver threat monitoring platform has identified 3,420 Internet-exposed EPMM appliances. Shodan's data further reveals that over 150 instances linked to global government agencies can be directly accessed via the Internet.

CISA has added the CVE-2023-35082 vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. However, there's no evidence suggesting its use in ransomware attacks. The agency has also mandated U.S. federal agencies to patch the vulnerability by February 2, in line with a binding operational directive (BOD 22-01) issued three years ago. Ivanti has not yet updated its August advisories or issued another notification warning that this security vulnerability is being exploited in the wild.

Additionally, two other Ivanti Connect Secure (ICS) zero-days, an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887), are also being exploited on a large scale by multiple threat groups since January 11. The victims range from small businesses to several Fortune 500 companies across various sectors, with the attackers having already backdoored over 1,700 ICS VPN appliances using a GIFTEDVISITOR webshell variant. Several other Ivanti zero-days (i.e., CVE-2021-22893, CVE-2023-35078, CVE-2023-35081, CVE-2023-38035) have been exploited in recent years to breach numerous government, defense, and financial organizations in the United States and Europe, including several Norwegian government organizations, and in targeted attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.