Vulnerability in Ivanti Endpoint Manager Mobile: Comment from Satnam Narang, Sr. Staff Research Engineer, Tenable
A vulnerability has been discovered in Ivanti Endpoint Manager Mobile that allows unauthenticated access to specific API paths. Exploiting this vulnerability grants attackers access to users’ personally identifiable information (PII) on vulnerable systems, including names, phone numbers, and other mobile device details. Additionally, attackers can carry out other configuration changes, even creating an administrative account within EPMM to make further modifications to the system. Ivanti has reported that a credible source has provided information regarding active exploitation of this vulnerability. To safeguard our system and the sensitive data it holds, we must take swift action.
“Based on what’s been shared by Ivanti at this time publicly, CVE-2023-35078 has been exploited in a “limited number” of attacks against internet-facing assets. However, considering the severity of this vulnerability, such as its being assigned a CVSSv3 score of 10.0, the maximum possible score, signals that exploitation of this flaw is likely to be relatively easy for attackers. It’s only a matter of time before public proof-of-concept code becomes available and attackers exploit this flaw more widely.
“It’s unclear if the existing attacks have been conducted by an advanced persistent threat (APT) actor or other cybercriminals. Presently, researchers are noting an increase in probing of honeypots looking for vulnerable API endpoints. Ivanti says that attackers could exploit this flaw to gain access to personally identifiable information (PII) and make “limited changes to the server.” What those changes are remains unclear, but this could certainly become a valuable tool for ransomware groups and their affiliates.
“With patches available for this flaw, organisations that utilise Ivanti Endpoint Manager Mobile (formerly MobileIron Core) should apply these patches immediately. While we don’t have public indicators of compromise for this vulnerability, if Ivanti does share these, potentially affected organisations must conduct incident response to determine any potential impact resulting from this vulnerability.”
