Ivanti Endpoint Manager Mobile ( EPMM) and MobileIron Core were added to the Known Exploited Vulnerabilities (KEV ) catalog by the U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) on Thursday, claiming that it is being actively exploited in the wild.
The CVE- 2023-35082 ( CVSS score: 9.8 ) vulnerability is an authentication bypass that serves as a patch bypass for another flaw in the same solution that is being tracked as the one that led to the 10.0 vulnerability.
Ivanti noted in August 2023 that this vulnerability allows an unauthorized, remote ( internet-facing ) actor to potentially access users ‘ personally identifiable information and make limited changes to the server.
The vulnerability affects all Ivanti Endpoint Manager Mobile ( EPMM) 11.10, 11.9, and 11.8, as well as MobileIron Core 11.7 and lower.
According to cybersecurity company Rapid7, which found the flaw and reported it, it can be chained with CVE-2023-35081 to allow an attacker to program the appliance with malicious web shell files.
On how the vulnerability is being used in actual-world attacks, there are currently no specifics. Vendor-provided fixes are advised to be applied by federal agencies by February 8, 2024.
The company is expected to release updates next week, and the disclosure coincides with two other zero-day flaws in Ivanti Connect Secure ( ICS) virtual private network (VPN) devices ( CVE- 2023- 46805 and CVE in 2024- 21887 ) that have also been subjected to widespread exploitation to drop web shells and passive backdoors.
Ivanti stated in an advisory,” We have observed the threat actor target the system’s configuration and running cache, which contains secrets crucial to the operation of the VPN.”
Although we have n’t always noticed this, Ivanti is advising you to rotate these secrets after rebuilding out of extreme caution.
Early this week, Volexity announced that it had been able to locate proof of the compromise of more than 1,700 devices worldwide. Although UTA0178, a suspected Chinese threat actor, was linked to the initial exploitation, more threat actors have since joined the bandwagon.
Assetnote’s additional endpoint ( “/api/v1/totp/user-backup- code” ) has been discovered as a result of further reverse engineering of the twin flaws, making it possible to exploit the CVE- 2023-46805 authentication bypass bug on older versions of ICS and obtain the reverse shell.
It was described by security researchers Shubham Shah and Dylan Pindur as “another instance of a secure VPN device exposing itself to widespread exploitation due to relatively simple security mistakes.”