CVE-2023-35082
📋 TL;DR
CVE-2023-35082 is an authentication bypass vulnerability in Ivanti EPMM (formerly MobileIron Core) that allows remote unauthenticated attackers to access administrative API endpoints. This affects Ivanti EPMM 11.10 and older versions, potentially enabling attackers to compromise the entire mobile device management system.
💻 Affected Systems
- Ivanti EPMM
- MobileIron Core
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to deploy malicious configurations to managed mobile devices, steal sensitive corporate data, and pivot to internal networks.
Likely Case
Unauthorized access to administrative functions, configuration changes, and potential data exfiltration from the EPMM system.
If Mitigated
Limited impact if network segmentation prevents external access and strong authentication controls are in place for internal users.
🎯 Exploit Status
CISA has added this to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.11 or later
Vendor Advisory: https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older
Restart Required: Yes
Instructions:
1. Download Ivanti EPMM 11.11 or later from the Ivanti support portal. 2. Backup current configuration. 3. Apply the patch following Ivanti's upgrade documentation. 4. Restart the EPMM service. 5. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPMM management interfaces to trusted IP addresses only
Web Application Firewall Rules
allImplement WAF rules to block suspicious API requests to EPMM endpoints
🧯 If You Can't Patch
- Immediately isolate the EPMM server from internet access and restrict internal network access
- Implement strict network monitoring and alerting for any unauthorized access attempts to EPMM APIs
🔍 How to Verify
Check if Vulnerable:
Check the EPMM version via the admin interface or by examining the application files. Versions 11.10 and below are vulnerable.Check Version:
Check the admin interface or review the application version in the EPMM installation directoryVerify Fix Applied:
Verify the version is 11.11 or later and test that unauthenticated API access to administrative endpoints is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API requests to administrative endpoints
- Unusual authentication bypass patterns in access logs
- Multiple failed authentication attempts followed by successful API access
Network Indicators:
- Unusual traffic patterns to EPMM API endpoints from unauthenticated sources
- HTTP requests to administrative APIs without proper authentication headers
SIEM Query:
source="epmm" AND (http_method="POST" OR http_method="GET") AND uri_path="/api/*" AND NOT auth_status="successful"🔗 References
- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35082
