The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, saying This vulnerability is being actively exploited.
The vulnerability in question is CVE-2023-35082 (CVSS Score: 9.8), an authentication bypass that is a patch bypass for another flaw in the same solution tracked by CVE-2023-35078 (CVSS Score: 10.0).
“If this vulnerability is exploited, an unauthorized remote (internet-facing) actor could access a user’s personally identifiable information and make limited changes to the server,” Ivanti noted in August 2023.
All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and earlier are affected by this vulnerability.
Rapid7, the cybersecurity company that discovered and reported the vulnerability, said the vulnerability can be linked to CVE-2023-35081, allowing attackers to write malicious web shell files to the device.
There are currently no details on how the vulnerability could be weaponized in real-world attacks. Federal agencies are recommended to apply vendor-provided fixes by February 8, 2024.
The disclosure comes as two other zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited at scale to unleash web shell and passive backdoor, the company expects to release an update next week.
“We observed threat actors targeting the system’s configuration and operational caches, which contained secrets important for VPN operation,” Ivanti said in a report.
“While we have not observed this in all cases, out of an abundance of caution, Ivanti recommends that you rotate these secrets after rebuilding.”
Volexity revealed earlier this week that it had been able to find evidence of compromise on more than 1,700 devices worldwide. While the initial exploit was associated with a suspected Chinese threat actor named UTA0178, additional threat actors have since joined the exploit bandwagon.
Further reverse engineering of these two flaws by Assetnote revealed an additional endpoint (“/api/v1/totp/user-backup-code”) through which the authentication bypass flaw (CVE-2023-46805) It’s possible to be on an older version of ICS and get a reverse shell.
Security researchers Shubham Shah and Dylan Pindur described it as “yet another example of a secure VPN device being exposed to massive exploitation due to a relatively simple security error.”
