Ivanti’s Endpoint Manager Mobile ( EPMM) and MobileIron Core device management software ( patched , in August 2023 ), have a critical authentication bypass vulnerability that is currently being exploited, according to CISA.
All versions of EPMM 11.10, 11.9, and 11.8 as well as MobileIron Core 11.7 and below are affected by the flaw, which is known as CVE-2023-35082.
When a bug is chained with other flaws, successful exploitation gives attackers access to mobile device users ‘ personally identifiable information ( PII ) and allows them to backdoor compromised servers.
Ivanti currently has an RPM script available. According to the company, we advise customers to use the RPM script after upgrading to a supported version. ” This Knowledge Base article on the Ivanti Community portal contains more detailed information.”
Indicators of compromise ( IOCs ) are provided by the cybersecurity company Rapid7, which found and reported the vulnerability, to assist administrators in spotting the warning signs of a CVE-2023–35082 attack.
While the Shadowserver threat monitoring platform tracks 3, 420 Internet-exposed EPMM appliances, according to Shodan, 6, 300 Ivanti EPM user portals are currently exposed online.
According to Shodan’s data, it is also possible to access the more than 150 instances connected to government organizations worldwide online.
The vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog based on evidence of active exploitation, despite the fact that it has n’t yet provided any additional information on CVE-2023–35082 ransomware attacks.
In accordance with a legally binding operational directive ( BOD 22- 01 ) issued three years ago, the cybersecurity agency also mandated that U.S. federal agencies patch it by February2.
Ivanti has not yet released a notification warning that attackers are utilizing this security vulnerability in the wild or updated its Augustadvisories.
Beginning on January 11, several threat groups will begin mass-exploitation of two additional Ivanti Connect Secure ( ICS) zero-days, an auth bypass ( CVE- 2023-46805 ), and a command injection.
The attackers have already backdoored more than 1,700 ICS VPN appliances using a GIFTEDVISITOR webshell variant, compromising victims from small businesses to numerous Fortune 500 companies from various industry sectors.
Numerous other Ivanti zero-days, such as CVE-2021-22893,CCE-2023-35078, CAVE- 2023- 35081, and SVE-2033-235, have been used in recent years to compromise dozens of government, defense, financial organizations throughout the United States and Europe, as well as several Norwegian government organizations, in targeted attacks.