The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities catalog. The vulnerability, CVE-2023-35082, is an authentication bypass that allows unauthorized remote access to users’ personal information and limited changes to the server. All versions of EPMM 11.10, 11.9, and 11.8, as well as MobileIron Core 11.7 and below, are affected. The flaw was discovered by cybersecurity firm Rapid7, which found it can be combined with another vulnerability to write malicious web shell files to the appliance. Federal agencies are urged to apply vendor-provided fixes by February 8, 2024.
In addition to the EPMM flaw, two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN devices (CVE-2023-46805 and CVE-2024-21887) have also been exploited to drop web shells and passive backdoors. Ivanti plans to release updates for these flaws next week. The company has observed threat actors targeting the configuration and running cache of the system, potentially accessing important secrets. Ivanti recommends rotating these secrets after a rebuild. Volexity has found evidence of compromise on over 1,700 devices worldwide, initially linked to a suspected Chinese threat actor named UTA0178, but additional threat actors have joined in the exploitation.
Further analysis of the vulnerabilities by Assetnote has identified an additional endpoint that can be abused to obtain a reverse shell on older versions of ICS. Security researchers have described this as an example of a secure VPN device exposing itself to exploitation due to simple security mistakes.