CVE-2023-39335
📋 TL;DR
This vulnerability allows unauthenticated attackers to impersonate any existing user during device enrollment in Ivanti EPMM (formerly MobileIron Core). It affects EPMM versions 11.10, 11.9, 11.8 and older, enabling unauthorized access to user accounts and resources.
💻 Affected Systems
- Ivanti EPMM (formerly MobileIron Core)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the EPMM environment, unauthorized access to all managed devices, data exfiltration, and lateral movement to connected enterprise systems.
Likely Case
Unauthorized device enrollment leading to data theft, privilege escalation, and potential malware deployment on managed devices.
If Mitigated
Limited impact if network segmentation prevents access to vulnerable systems and strong monitoring detects anomalous enrollment attempts.
🎯 Exploit Status
Unauthenticated exploitation makes this highly attractive to attackers. While no public PoC exists, the vulnerability description suggests straightforward exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.10.0.3, 11.9.1.2, and 11.8.1.4
Vendor Advisory: https://forums.ivanti.com/s/article/CVE-2023-39335?language=en_US
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Ivanti support portal. 2. Backup your EPMM configuration. 3. Apply the patch following Ivanti's upgrade documentation. 4. Restart the EPMM services.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to EPMM enrollment endpoints to trusted networks only
Temporary Enrollment Disable
allDisable new device enrollment if business operations allow
🧯 If You Can't Patch
- Implement strict network access controls to limit EPMM server exposure
- Enable detailed logging and monitoring for all enrollment attempts
🔍 How to Verify
Check if Vulnerable:
Check EPMM version in Admin Console > About. If version is 11.10.x (x<0.3), 11.9.x (x<1.2), or 11.8.x (x<1.4), system is vulnerable.Check Version:
Check via EPMM Admin Console or API endpoint /api/v1/system/infoVerify Fix Applied:
Verify version shows 11.10.0.3, 11.9.1.2, or 11.8.1.4 after patching. Test enrollment with monitoring to ensure no unauthorized impersonation.📡 Detection & Monitoring
Log Indicators:
- Multiple failed enrollment attempts followed by successful enrollment from same IP
- Enrollment from unusual geolocations or IP ranges
- User account enrolling devices at unusual times
Network Indicators:
- Unusual traffic patterns to /enrollment endpoints
- Multiple enrollment requests from single source in short timeframe
SIEM Query:
source="epmm" AND (event_type="enrollment" OR event_type="device_register") | stats count by src_ip, user | where count > threshold