Ivanti, an IT software enterprise, has announced a critical security flaw in its MobileIron Core mobile device management software. The vulnerability, identified as CVE-2023-35082, is a remote unauthenticated API access vulnerability that affects MobileIron Core version 11.2 and older versions. If successfully exploited, attackers could gain access to the personally identifiable information of mobile device users and potentially backdoor compromised servers by deploying web shells.
Ivanti has stated that it will not be releasing security patches to rectify this flaw, as it has been addressed in the newer versions of the product, now rebranded as Endpoint Manager Mobile (EPMM). The company said, "MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats."
According to Shodan, over 2,200 MobileIron user portals are currently exposed online, some of which are connected to U.S. local and state government agencies. Cybersecurity firm Rapid7, which discovered and reported the bug, has provided indicators of compromise (IOCs) to assist defenders in detecting signs of a CVE-2023-35082 attack. The firm strongly urges Ivanti customers to update their MobileIron Core software to the latest version immediately.
In addition to CVE-2023-35082, two other security vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM) have been exploited by state hackers since April, as per a CISA advisory published on Tuesday. One of these flaws, CVE-2023-35078, a critical authentication bypass, was used as a zero-day to breach the networks of several Norwegian government entities. This vulnerability can be chained with another directory traversal flaw, CVE-2023-35081, allowing threat actors with administrative privileges to deploy web shells on compromised systems.
CISA stated, "Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency's network."
Mobile device management (MDM) systems are attractive targets for threat actors as they provide elevated access to thousands of mobile devices. APT actors have previously exploited a MobileIron vulnerability. As a result, both CISA and NCSC-NO are concerned about the potential for widespread exploitation in both government and private sector networks.