U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it’s being actively exploited in the wild.

The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass that’s a patch bypass for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0).

“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” Ivanti noted in August 2023.

All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and below are impacted by the vulnerability.

Cybersecurity firm Rapid7, which discovered and reported the flaw, said it can be chained with CVE-2023-35081 to permit an attacker to write malicious web shell files to the appliance.

There are currently no details on how the vulnerability is being weaponized in real-world attacks. Federal agencies are recommended to apply vendor-provided fixes by February 8, 2024.

The disclosure comes as two other zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices (CVE-2023-46805 and CVE-2024-21887) have also come under mass exploitation to drop web shells and passive backdoors, with the company expected to release updates next week.

“We have observed the threat actor target the configuration and running cache of the system, which contains secrets important to the operation of the VPN,” Ivanti said in an advisory.

“While we haven’t observed this in every instance, out of an abundance of caution, Ivanti is recommending you rotate these secrets after rebuild.”

Volexity, earlier this week, revealed that it has been able to find evidence of compromise of over 1,700 devices worldwide. While initial exploitation was linked to a suspected Chinese threat actor named UTA0178, additional threat actors have since joined the exploitation bandwagon.

Further reverse engineering of the twin flaws by Assetnote has uncovered an additional endpoint (“/api/v1/totp/user-backup-code”) by which the authentication bypass flaw (CVE-2023-46805) could be abused on older versions of ICS and obtain a reverse shell.

Security researchers Shubham Shah and Dylan Pindur described it as “another example of a secure VPN device exposing itself to wide scale exploitation as the result of relatively simple security mistakes.”