Responding to Critical Vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2023-35078)
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, was recently revealed to contain three high-severity vulnerabilities—CVE-2023-35078, CVE-2023-35081, and CVE-2023-35082. These flaws enable threat actors to gain unauthorized access, escalate privileges, and write arbitrary files in EPMM environments.
According to cybersecurity agencies, these vulnerabilities are being actively exploited to compromise systems. Any organization using vulnerable Ivanti EPMM versions should take prompt action to assess, mitigate, and remediate the risks.
Understanding the Impact of the Ivanti EPMM Vulnerabilities
Ivanti EPMM is an enterprise mobility management (EMM) tool used by organizations to configure and secure mobile devices and applications. The software provides central management and policy enforcement for bring-your-own-device (BYOD) and corporate-owned devices across an organization.
The critical vulnerabilities arise in how Ivanti EPMM handles authentication:
- CVE-2023-35078 and CVE-2023-35082 enable unauthenticated remote users to bypass access controls and abuse API endpoints.
- CVE-2023-35081 allows authenticated admins to perform arbitrary file writes.
Attackers can chain these flaws to take complete control of EPMM servers without credentials. They can steal sensitive data, make damaging configuration changes, deploy malware, and create backdoor admin accounts.
The ease of exploitation and severity of potential impacts led to CVSS scores of 10.0 for CVE-2023-35078 and 7.2 for CVE-2023-35081. CVE-2023-35082 is likely to receive a similar critical score.
Which Ivanti EPMM Versions Are Affected?
Ivanti has confirmed the vulnerabilities affect the following product versions:
- Ivanti Endpoint Manager Mobile 11.10
- Ivanti Endpoint Manager Mobile 11.9
- Ivanti Endpoint Manager Mobile 11.8
- MobileIron Core 11.7 and earlier
Any organization using these releases should act quickly to avoid compromise.
Detecting Potential Compromise of Ivanti EPMM
If your organization utilizes a vulnerable EPMM version, thoroughly inspect systems for signs of intrusion:
- Review centralized logs for suspicious API calls that indicate exploitation.
- Check ActiveDirectory for unusual spikes in critical security events.
- Analyze EPMM network traffic for unauthorized internal communications.
- Examine systems for deleted logs or artifacts that suggest a cover up.
- Validate hashes and user agents against indicators of compromise published by NCSC-NO.
Take any evidence of compromise seriously and investigate thoroughly.
Mitigating the Ivanti EPMM Vulnerabilities
If using vulnerable Ivanti EPMM versions, immediately upgrade to patched releases 11.10.0.3, 11.9.1.2, or 11.8.1.2. For outdated MobileIron Core deployments, migration to Ivanti EPMM is required.
Ivanti also provides two RPM scripts to further harden installations:
- The first disables vulnerable API endpoints as a temporary workaround.
- The second delivers an official fix and should be installed after upgrading.
Be sure to follow Ivanti’s guidance for reloading the system after applying each script. Comprehensive patching, upgrading, and running both scripts is critical for fully resolving the vulnerabilities.
Make Vulnerability Management a Priority
To stay ahead of emerging threats like the Ivanti EPMM flaws, organizations should continuously monitor assets, maintain awareness of vulnerabilities in use, and promptly patch software.
Solutions like ResilientX Network Security Scanner can instantly detect products affected by new vulnerabilities among Internet-facing assets, enabling rapid response. Configuration checks and virtual patching provide additional protection.
Regular scanning, penetration testing, upgrading, and patching processes are key to reducing risk. Prioritizing vulnerability management and response is imperative for security in modern IT environments.