ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Ivanti Endpoint Manager Mobile Vulnerability

This live blog contains information regarding a vulnerability in Ivanti Endpoint Manager Mobile. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on August 8, 2023.

Update 8 August 2023

11:00 | On the 7th of August, Ivanti has published a new article regarding vulnerability CVE-2023-35082. On the 3rd of August we already wrote about this vulnerability, impacting version 11.2 and older of MobileIron Core/Endpoint Manager Mobile (EPMM).

The new article states that not only the unsupported version 11.2 is impacted, but also all current supported versions. This is significant as the CVSS-score of 10 and the impact of the vulnerability have not changed. Additionally, there is a public proof-of-concept exploit already available. The new added impacted versions are:

  • 8.1.2
  • 9.1.2
  • 10.0.3
  • 7 and below (MobileIron Core)

Ivanti has released an RPM-script to address CVE-2023-35082. This script does not solve prior vulnerabilities CVE-202335078 and CVE-202335081.

More information about the exploit and the RPM-script can be found here:

Call to action

  • Upgrade to version 11.8.1.2, 11.9.1.2 or 11.10.0.3 to address CVE-202335078 and CVE-202335081;
  • Apply the RPM-script to address CVE-2023-35082;
  • Search the logs in /var/log/httpd for suspicious paths, for example with the following command:
    • zgrep -E “\/.+\/.+\/api\/v2\/” /var/log/httpd/*
  • Perform additional scanning to identify potential exploitation. This can be done using the Nextron THOR scanner, as described in our update on the 4th of August.

If you find anything suspicious, would like a thorough scan of the system or prefer our assistance, please contact T-CERT via [email protected]. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In case of an emergency, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 4 August 2023

16:00 | On the 3rd of August, an exploit has been made publicly available regarding CVE-2023-35082. This exploit is similar to the exploit for CVE-202335078 but using a different path. The detection steps mentioned in our post on the 26th of July for CVE-202335078 also apply to this vulnerability.

More information about the exploit can be found here:

Our partner Nextron has published a blog describing step-by-step how to use their THOR APT scanner to identify potential exploitation of CVE-2023-35078, CVE-2023-35081 and/or CVE-2023-35082 on your Ivanti EPMM / Mobile Iron Core appliance. This blog leverages the THOR Lite scanner and explains how the scan can be performed.

T-CERT can perform an even more thorough scan for you by using the full version of the THOR APT scanner. In addition, we will interpret the scan results and supply you with an advice.

The blog published by Nextron can be found here:

If you prefer our assistance, please contact T-CERT via [email protected]. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In case of an emergency, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 3 August 2023

15:00 | On the 2nd of Augustus, Ivanti has published a security blog regarding a new critical vulnerability. The vulnerability is registered as CVE-2023-35082 and classified as an authentication bypass vulnerability in MobileIron Core/Endpoint Manager Mobile (EPMM). When exploited, the vulnerability allows an unauthenticated remote attacker to potentially access users’ personally identifiable information and make limited changes to the server. The vulnerability has a CVSS score of 10, which implies a low attack complexity and high risk of exploitation with high impact.

The vulnerability exists in versions 11.2 and older and is solved in version 11.3. Versions 11.2 is end-of-support since the 15th of March 2022. It is advised to use supported versions of products only. If you use a supported version of the product and have applied the patches required for the earlier two vulnerabilities (CVE-2023-35078 and CVE-2023-35081) no action is required.

More information regarding CVE-2023-35082 can be found here:

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 31 July 2023

12:00 | A proof-of-concept exploit for CVE-2023-35078 has been published on GitHub. This was expected based on the already available information and the low complexity of the vulnerability. The vulnerability was already exploited by a specific adversary group but is now also publicly available. Exploitation with the proof-of-concept exploit will be detected in the logging using the earlier shared instructions.

If an Ivanti Endpoint Manager Mobile (EPMM) server is not patched for CVE-2023-35078 at this moment, it should be considered compromised. It is advised to investigate the appliance for exploitation of the vulnerability. Please contact T-CERT for assistance at [email protected].

The proof-of-concept exploit can be found here:

Additionally, a new vulnerability has been published for EPMM and is registered as CVE-2023-35081. The vulnerability enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACL restrictions. The following supported versions of Ivanti EPMM are vulnerable:

  • Version 11.4 releases 11.10.0.2, 11.9.1.1 and 11.8.1.1 or earlier;
  • Older versions/releases

Security updates are available. Please upgrade as soon as possible to one of the following versions:

  • EPMM 11.8.1.2
  • EPMM 11.9.1.2
  • EPMM 11.10.0.3

The advisory of Ivanti regarding CVE-2023-35081 can be found here:

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 26 July 2023

12:30 | Norwegian cyber security company Mnemonic has published a blog containing more detailed information regarding the vulnerability CVE-2023-35078 and its discovery. The details provided combined with the low complexity of the vulnerability and other published information makes performing the exploit straightforward. It is highly likely that other actors have access to this information as well and will exploit this vulnerability. Therefor it is highly recommended to apply the provided security updates as soon as possible!

Additionally, it is advised to inspect the HTTP logs for suspicious requests. As described in the blog by Mnemonic, the base URL for all API calls is https://[core server]/api/v2/. If you add the path to a vulnerable endpoint, you need no authentication to execute commands. Like this: https://[core server]/<vulnerable>/<path>/api/v2/. After you applied the patch, it is highly recommended to inspect the HTTP logs stored in /var/log/httpd for suspicious requests containing the following pattern:

  • /<vulnerable>/<path>/api/v2/

For example, with the following command:

  • zgrep -E “\/.+\/.+\/api\/v2\/” /var/log/httpd/*

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 25 July 2023

10:00 | On the 24th of July, Ivanti has released a security blog describing a critical vulnerability. The vulnerability is registered as CVE-2023-35078 and allows an unauthenticated remote attacker to access users’ personally identifiable information and make limited changes to the server, including the creation of an EPMM administrative account that can make further changes to a vulnerable system.

Exploits of CVE-2023-35078 have been observed in the wild against a very small number of customers. Ivanti has released software updates. It is highly recommended to apply these security patches as soon as possible.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

On the 24th of July, Ivanti has release a security blog describing a critical vulnerability. The vulnerability is registered as CVE-2023-35078 and allows an unauthenticated remote attacker to access users’ personally identifiable information and make limited changes to the server, including the creation of an EPMM administrative account that can make further changes to a vulnerable system.

Exploits of CVE-2023-35078 have been observed in the wild against a very small number of customers. Ivanti has released software updates. It is highly recommended to apply these security patches as soon as possible.

Potential Risk

The vulnerability CVE-2023-35078 has a CVSS score of 10. The CVSS scale runs from 0 to 10. A score of 10 is rare and implies a low attack complexity and high risk of exploitation with high impact. The CVE-2023-3519 vulnerability in Ivanti Endpoint Manager Mobile allows an unauthenticated remote attacker to access users’ personally identifiable information and make limited changes to the server. This includes the creation of EPMM administrative account that can make further changes to a vulnerable system.

Exploits of CVE-2023-35078 have been observed in the wild against a very small number of customers and is likely used in attacks against the Norwegian government. Combined with the exposed character of the affected solutions makes this a very critical vulnerability which must be patched as soon as possible.

Detail info

Ivanti Endpoint Manager Mobile (EPMM), was formerly known as Ivanti MobileIron Core. The following supported versions of Ivanti Endpoint Manager Mobile are vulnerable:

  • Version 11.4 releases 11.10, 11.9 and 11.8
  • Older versions/releases

Security updates are available. Please upgrade as soon as possible to one of the following versions:

  • EPMM 11.8.1.1
  • EPMM 11.9.1.1
  • EPMM 11.10.0.2

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.