Ivanti

CISA warns that a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) and MobileIron Core device management software (patched in August 2023) is now under active exploitation.

Tracked as CVE-2023-35082, the flaw is a remote unauthenticated API access vulnerability affecting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below,.

Successful exploitation provides attackers access to personally identifiable information (PII) of mobile device users and can let them backdoor compromised servers when chaining the bug with other flaws.

"Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply the RPM script," the company said in August. "More detailed information can be found in this Knowledge Base articleon the Ivanti Community portal."

Cybersecurity company Rapid7, which discovered and reported the vulnerability, provides indicators of compromise(IOCs) to help admins detect signs of a CVE-2023-35082 attack.

According to Shodan, 6,300 Ivanti EPMM user portals are currently exposed online, while the Shadowserver threat monitoring platform tracks 3,420 Internet-exposed EPMM appliances.

Shodan's data also reveals that the more than 150 instances linked to government agencies worldwide can be directly accessed via the Internet.

Internet-exposed Ivanti EPMM user portals
Internet-exposed Ivanti EPMM user portals (Shodan)

​While it has yet to provide further details on CVE-2023-35082 active exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation and says there's no evidence of abuse in ransomware attacks.

The cybersecurity agency also ordered U.S. federal agencies to patch it by February 2, as required by a binding operational directive (BOD 22-01) issued three years ago.

Ivanti has yet to update its August advisories or issue another notification warning that attackers are using this security vulnerability in the wild.

Two other Ivanti Connect Secure (ICS) zero-days, an auth bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) are now also under mass exploitation by multiple threat groups, starting January 11.

Victims compromised so far range from small businesses to multiple Fortune 500 companies from various industry sectors, with the attackers having already backdoored over 1,700 ICS VPN appliances using a GIFTEDVISITOR webshell variant.

Multiple other Ivanti zero-days (i.e., CVE-2021-22893, CVE-2023-35078, CVE-2023-35081, CVE-2023-38035) have been exploited in recent years to breach dozens of government, defense, and financial organizations across the United States and Europe, several Norwegian government organizations, as well as in targeted attacks.

Related Articles:

CISA cautions against using hacked Ivanti VPN gateways even after factory resets

New Fortinet RCE bug is actively exploited, CISA confirms

CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday

CISA emergency directive: Mitigate Ivanti zero-days immediately

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks