CVE-2023-35078
📋 TL;DR
CVE-2023-35078 is an authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows unauthenticated attackers to access administrative APIs and functionality. This affects organizations using Ivanti EPMM for mobile device management. Attackers can exploit this remotely without any credentials.
💻 Affected Systems
- Ivanti Endpoint Manager Mobile (EPMM)
- Ivanti MobileIron Core
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the EPMM system, allowing attackers to execute arbitrary commands, access sensitive data, deploy malicious configurations to managed devices, and pivot to internal networks.
Likely Case
Unauthorized access to administrative functions, data exfiltration of mobile device information, and potential deployment of malicious configurations to managed mobile devices.
If Mitigated
Limited impact if network segmentation, strict firewall rules, and other compensating controls prevent access to the vulnerable system.
🎯 Exploit Status
Multiple proof-of-concept exploits are publicly available. The vulnerability is actively being exploited in the wild according to CISA and vendor advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPMM 11.10.0.2, 11.9.1.2, 11.8.1.2
Vendor Advisory: https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Ivanti support portal. 2. Backup your EPMM configuration and database. 3. Apply the patch following Ivanti's installation guide. 4. Restart the EPMM services. 5. Verify the patch was successfully applied.
🔧 Temporary Workarounds
Network Segmentation and Access Control
allRestrict network access to EPMM administration interfaces using firewall rules and network segmentation.
Disable Internet-Facing Access
allRemove EPMM from internet-facing networks and require VPN access for administration.
🧯 If You Can't Patch
- Immediately isolate the EPMM system from internet access and restrict internal network access
- Implement strict network monitoring and alerting for any unauthorized access attempts to EPMM APIs
🔍 How to Verify
Check if Vulnerable:
Check EPMM version in administration console. If version is 11.10 or earlier, 11.9 or earlier, or 11.8 or earlier, the system is vulnerable.Check Version:
Check via EPMM web interface: Administration > About, or use API endpoint /api/mdm/devices/versionVerify Fix Applied:
Verify the EPMM version shows 11.10.0.2, 11.9.1.2, or 11.8.1.2 in the administration console after patching.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API requests to administrative endpoints
- Multiple failed authentication attempts followed by successful API access without credentials
- Unusual administrative actions from unexpected IP addresses
Network Indicators:
- Unusual API traffic patterns to EPMM administrative endpoints
- Requests to /api/mdm/devices or other administrative APIs without authentication headers
SIEM Query:
source="epmm" AND (http_method="POST" OR http_method="GET") AND uri_path="/api/mdm/*" AND NOT (user!="" OR auth_token!="")🔗 References
- https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability
- https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078
- https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078
- https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability
- https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability
- https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078
- https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078
- https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35078
