CISA Flags Critical Vulnerabilities in Ivanti Endpoint Manager Mobile and MobileIron Core
CISA has included a critical vulnerability, now patched, affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core in its Known Exploited Vulnerabilities catalog.
This vulnerability, identified as CVE-2023-35082 and rated 9.8 on the CVSS scale, permits an authentication bypass and was actively used in real-world attacks. It acts as a workaround for another flaw, CVE-2023-35078, with a CVSS score of 10.0. Exploiting this could potentially provide unauthorized remote access to individuals’ personally identifiable information and allow limited server modifications. All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8, as well as MobileIron Core 11.7 and below, are impacted.
The cybersecurity firm Rapid7, which discovered and reported the flaw, highlighted its potential to be combined with CVE-2023-35081, enabling attackers to deploy malicious web shell files. While the specific methods of real-world attacks are not disclosed, federal agencies are advised to apply the fixes provided by the vendor by February 8, 2024.
Concurrently, two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices (CVE-2023-46805 and CVE-2024-21887) are being actively exploited. Attackers are deploying web shells and passive backdoors, focusing on the system’s configuration and running cache, which contains critical VPN operation secrets. Ivanti suggests rotating secrets after system rebuild. Volexity reported evidence of compromise on over 1,700 devices globally, initially linked to a suspected Chinese threat actor (UTA0178), with additional threat actors joining the exploitation.
Through reverse engineering, Assetnote discovered an additional endpoint (“/api/v1/totp/user-backup-code”) that could be exploited to abuse the authentication bypass flaw (CVE-2023-46805) on older ICS versions, allowing for the acquisition of a reverse shell. Security researchers highlighted this as another instance of a supposedly secure VPN device being susceptible to widespread exploitation due to simple security oversights. Ivanti is expected to release updates for the VPN flaws in the upcoming week.