Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

See all Threat Responses

Date: 24-07-2023

On July 24, 2023 Ivanti published a security advisory regarding a critical vulnerability that was discovered in Ivanti Endpoint Manager Mobile (EPMM)[1]. This vulnerability allows an unauthenticated remote actor to potentially access personally identifiable information and make changes to the configuration of the server.

Reports of this vulnerability being exploited in the wild have surfaced[3]. The NCSC published an advisory[5] urging organizations to apply the patches published by the vendor[2].

Ivanti published a patch to remediate the vulnerability[2], we urgently advise applying this patch.

Description

A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. 

If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to access specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system[6].

The CVE for this vulnerability is CVE-2023-35078 with a CVSSv3 base score of 10.0[4].

Impact

Given the potential access to personally identifiable information and the potential for configuration changes and subsequent privilege escalation we estimate the impact of this vulnerability as high.

Risk

Reports of this vulnerability being exploited in the wild have surfaced. We estimate the risk of this vulnerability as high.

Mitigation

Ivanti published a patch to remediate the vulnerability[2], we recommend applying this patch as soon as possible

What should you do?

We urge you to patch Ivanti EPMM as soon as possible following the instructions published by the vendor[2].

What will Northwave do?

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure. 

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

 

E-mail: soc@northwave.nl Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

Disclaimer applies, see below.

 

Sources

[1]: https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US

[2]: https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078

[3]: https://www.securityweek.com/ivanti-zero-day-vulnerability-exploited-in-attack-on-norwegian-government/

[4]: https://nvd.nist.gov/vuln/detail/CVE-2023-35078

[5]: https://advisories.ncsc.nl/advisory?id=NCSC-2023-0379

[6]: https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.