U.S. Cybersecurity Agency Warns of Actively Exploited Ivanti EPMM Vulnerability

19.01.2024

On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw, now patched, affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its catalog of Known Exploited Vulnerabilities (KEV). This flaw, identified as CVE-2023-35082 with a CVSS score of 9.8, is an authentication bypass that serves as a patch bypass for another vulnerability (CVE-2023-35078 with a CVSS score of 10.0) in the same solution.

The vulnerability could potentially allow an unauthorized, remote actor to access users’ personally identifiable information and make limited changes to the server, as highlighted by Ivanti in August 2023. Versions 11.10, 11.9, and 11.8 of Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core 11.7 and below are affected.

Discovered and reported by cybersecurity firm Rapid7, the flaw can be chained with CVE-2023-35081, enabling an attacker to write malicious web shell files to the appliance. While there are no specific details on real-world attacks, federal agencies are advised to apply vendor-provided fixes by February 8, 2024.

Simultaneously, two zero-day flaws in Ivanti Connect Secure (ICS) VPN devices (CVE-2023-46805 and CVE-2024-21887) have also faced mass exploitation. These exploits are used to drop web shells and passive backdoors, with Ivanti expected to release updates next week. Volexity reported evidence of compromise on over 1,700 devices worldwide, initially linked to a suspected Chinese threat actor named UTA0178, but additional threat actors have since joined the exploitation efforts.

Further analysis by Assetnote revealed an additional endpoint (“/api/v1/totp/user-backup-code”) by which the authentication bypass flaw (CVE-2023-46805) could be abused on older versions of ICS, potentially obtaining a reverse shell. Security researchers Shubham Shah and Dylan Pindur characterized this incident as “another example of a secure VPN device exposing itself to wide-scale exploitation due to relatively simple security mistakes.