An actively exploited vulnerability has been patched in that latest updates for Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. This zero-day flaw affects all supported versions of this mobile device management software, as well as some older release versions before EPMM 11.8.1.0 that are no longer managed by the developers. Ivanti have published a security advisory for this vulnerability where it is revealed that this actively exploited flaw has received the highest CVSS score of 10.0 which is a critical severity rating.
The flaw tracked as CVE-2023-35078 is an authentication bypass vulnerability that can result in successful attackers gaining API access. This exploit can be performed by a remote, unauthenticated attacker, where they can then gain access to personally identifiable information, add an administrator account, and change the server configuration. The exploits seen in the wild have been confirmed to be restricted to a low number of cases however further information about these attacks is not being shared by Ivanti at this time. This flaw is not known to be exploited as a supply chain attack, as it does not appear that this bug was added maliciously to the code during development.
All users of this software should apply the released patches as soon as possible through updating to the latest software releases or by upgrading any unsupported software to currently supported versions. Fixed versions include EPMM 11.8.1.1, 11.9.1.1, and 11.10.0.2. A Shodan search shared by a PwnDefend Cyber Security Consultant reveals that over 2900 EPMM (MobileIron) user portals are currently exposed to the internet, making them vulnerable to this sort of remote attack. These users were found to be spread mostly across Western Europe, specifically Germany and the UK, and also in the USA. Ivanti have advised customers that it is “critical that you immediately take action to ensure you are fully protected.”
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)