Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, is facing a critical security flaw that has already resulted in government system breaches in Norway. The company confirmed the existence of this vulnerability, which enables remote attackers to bypass user authentication and gain unauthorized access to certain EPMM functions and resources. Classified as CVE-2023-35078, this flaw has been awarded a CVSS score of 10 out of 10.
The US Cybersecurity and Infrastructure Security Agency (CISA) has highlighted that the issue lies with vulnerable API paths within the system. Exploiting the authentication flaw allows attackers to extract personally identifiable information (PII) and potentially even create EPMM administrative accounts for further exploitation. CISA has also expressed concern after receiving credible information suggesting that exploitation has already taken place. Ivanti has acknowledged the situation and states that they are working closely with their customers and partners to investigate the matter.
While it is unclear whether the vulnerability is being actively exploited in the US, alarming reports indicate that nearly 3,000 user portals, similar to the ones affected by this flaw, can be found on the Shodan online scanning platform. Among these portals, some have been identified as belonging to US government agencies.
The specific versions of EPMM impacted by this vulnerability are 11.4 releases 11.10, 11.9, and 11.8, according to Ivanti. However, further details regarding the flaw are currently only available to Ivanti customers. A knowledgebase article related to the vulnerability requires a customer login for access. Despite requesting a comment, the company has yet to respond.
Although the true nature of this vulnerability remains uncertain, it has already been actively exploited in Norway. The Norwegian Security and Service Organization issued a statement confirming the breach and the subsequent patching of the remote access vulnerability. However, certain mobile services, such as remote email access, are currently offline as a precautionary measure. Law enforcement agencies in Norway are actively investigating the incident. Additionally, Norway’s National Cyber Security Center has urged all potentially vulnerable users to promptly apply the latest patches and has taken steps to directly notify Norwegian businesses about the situation.
The discovery of this security flaw in Ivanti Endpoint Manager Mobile highlights the critical importance of robust security measures in software development and the ongoing need for thorough vulnerability assessments. As this vulnerability has already led to breaches in government systems, it serves as a reminder that cyber threats are constantly evolving, and organizations must remain vigilant in protecting their sensitive data and systems against potential attacks.
The impact of this vulnerability on affected organizations and individuals in terms of compromised data and potential unauthorized access is significant. The need for a swift response, including patching and investigation, is crucial to mitigating further damage and potential exploitation. It is essential for users and organizations to stay informed about the latest security updates provided by software vendors and promptly apply these patches to maintain the highest level of protection against emerging threats.