Ivanti has announced a significant security vulnerability affecting its Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. This flaw, referred to as CVE-2023-35081 and rated with a CVSS score of 7.8, has reportedly been leveraged in real-world exploit chains by threat actors.
The vulnerability affects several supported versions of the software, namely 11.10, 11.9, and 11.8, in addition to those that have reached end-of-life (EoL). According to Ivanti, this vulnerability allows an authenticated administrator to execute arbitrary file writes on the EPMM server. Moreover, it can be exploited alongside another flaw, CVE-2023-35078, which facilitates bypassing administrator authentication and Access Control List (ACL) restrictions.
If successfully exploited, attackers could write arbitrary files onto the appliance, gaining the ability to run operating system commands as the tomcat user. Ivanti stated that the customer base impacted by this vulnerability mirrors those affected by the earlier CVE-2023-35078.
The cybersecurity firm Mnemonic, which reported the flaw, has observed the exploitation of CVE-2023-35081 in conjunction with CVE-2023-35078. They noted that this combination enables the loading of malicious JSP and Java .class files into a live Apache Tomcat instance, allowing external actors to execute harmful Java bytecode on compromised servers.
CVE-2023-35078 itself is classified as a critical vulnerability, permitting unauthenticated remote API access that can lead to the disclosure of sensitive information, the creation of an administrative account, and potentially altering configurations due to authentication bypass. Incident reports indicate that these vulnerabilities have been actively exploited against Norwegian government agencies, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning urging organizations to implement the latest security patches.
This latest development coincides with observations from Google’s Project Zero team, which reported a decline in the detection of zero-day vulnerabilities exploited in the wild—41 occurrences were noted in 2022, down from 69 in 2021. This trend reflects a potential shift in attack strategies, with a noted decrease in browser-targeted exploits.
The identified tactics employed by adversaries in this context may include initial access through compromised user credentials and privilege escalation via exploiting vulnerabilities to execute unauthorized commands. The potential dual usage of CVE-2023-35081 alongside CVE-2023-35078 underscores the increasing complexity of modern exploits, elevating risk for organizations utilizing impacted versions of EPMM.
In summary, it is imperative for business owners and cybersecurity professionals to remain vigilant. Immediate action should be taken to apply updates provided by Ivanti to mitigate the risks associated with these vulnerabilities. As the threat landscape continues to evolve, proactive measures are necessary to safeguard sensitive data and maintain operational integrity.
