Ivanti EPMM zero-day vulnerability exploited in wild

Ivanti disclosed a zero-day vulnerability Monday that was used in an attack against a Norwegian government agency.

The flaw, tracked as CVE-2023-35078, is an authentication bypass vulnerability that affects Ivanti Endpoint Manager Mobile (EPMM), a mobile management software engine previously known as MobileIron Core. In its advisory published on Monday, Ivanti said the bug "enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server."

HackerOne rated the flaw a base CVSS score of 10 -- the highest severity possible.

All supported versions of EPMM -- Version 11.4 releases 11.10, 11.9 and 11.8 -- are affected, but the vendor said older and unsupported versions of the product are also at risk. A patch is available now, and an RPM script is available for customers using earlier versions to remediate. In an advisory, CISA urged Ivanti customers to review the security advisory and apply patches.

UPDATE 7/31: On July 28, Ivanti published an additional security advisory for a second zero-day vulnerability, CVE-2023-35081, in its EPMM product, which affects all supported versions. Ivanti released a patch for the flaw, which is a remote arbitrary file write vulnerability. The zero day has been exploited in the wild against "the same limited number of customers impacted by CVE-2023-35078," Ivanti said.

In its blog post dedicated to CVE-2023-35078, Ivanti said it was "only aware of a very limited number of customers that have been impacted." However, one such customer has come to light -- the Norwegian government's Departments' Security and Service Organization (DSS).

Norwegian cyber agency National Security Authority said in a LinkedIn post that CVE-2023-35078 was used in a cyber attack against the DSS and all relevant parties were in an ongoing dialogue to patch the vulnerability in DSS systems.

Initial reports of CVE-2023-35078 came Monday when security researchers claimed on Twitter that a new zero day had been detailed on Ivanti's customer support forum. Because the forum is only accessible to customers only, the initial advisory was effectively paywalled until the vendor detailed the bug later on Monday. Moreover, the knowledge base article detailing remediations still requires customer login.

TechTarget Editorial contacted Ivanti for additional comment about the DSS attack, the paywalled advisory and for access to the knowledge base article. A spokesperson declined to share the article or answer the questions directly but shared the following statement:

Ivanti was informed late last week by a credible source of a suspected vulnerability. We immediately investigated, developed the patch, and released it to customers within days of notification, and are actively engaging with customers to help them apply the fix. Our customers' security is our top priority.

The security advisory is available publicly on Ivanti's blog. Because of the potential for exploitation, and at the request of our customers and partners, we were providing extra time for our customers to apply the patch before information on the vulnerability was public. We are upholding our commitment to deliver and maintain secure products, while practicing responsible disclosure protocols.

We have been in contact with NCSC-NO [the Norwegian National Cyber ​​Security Center] and continue to work with the appropriate government agencies on coordinated disclosure, including working closely with CISA.

Alexander Culafi is a writer, journalist and podcaster based in Boston.