cbcvebase.
CVE-2023-35078
published 2023-07-25

CVE-2023-35078: An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-08-15
Exploited in the wild
EPSS
100.00%
100.0th percentile
An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.

Affected

6 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager_mobile< 11.11.011.11.0
ivantiendpoint_manager_mobile< 11.8.1.111.8.1.1
ivantiendpoint_manager_mobile>= 11.10 < 11.10.0.211.10.0.2
ivantiendpoint_manager_mobile>= 11.9.0 < 11.9.1.111.9.1.1
ivantiepmm
ivantiepmm11.10 – 11.10

Detection & IOCsextracted from sources · hover to see the quote

  • Detect CVE-2023-35078 exploitation chained with CVE-2023-35081 — attackers used both together to write JSP and Java .class files to disk on compromised EPMM servers.
  • Alert on unexpected JSP or Java .class file creation on Ivanti EPMM servers, as this is a known post-exploitation artifact when CVE-2023-35078 is chained with CVE-2023-35081.
  • Use Nessus plugin IDs 141340 (MobileIron Core Detection) and 141341 (MobileIron Core API Detection) to identify exposed/vulnerable EPMM assets in the environment.
  • Check Point IPS Blade signature 'Ivanti Endpoint Manager Mobile Authentication Bypass (CVE-2023-35078)' can be used for network-level detection of exploitation attempts.
  • GreyNoise tag 'IVANTI EPMM (MOBILEIRON CORE) AUTHENTICATION BYPASS ATTEMPT' can be used to identify mass-scanning IPs probing for CVE-2023-35078.
  • Refer to CISA/NCSC-NO joint advisory AA23-213A for confirmed IOCs and TTPs from real-world exploitation of CVE-2023-35078 against Norwegian government organizations.
  • ·A temporary RPM-based fix is available for CVE-2023-35078 that survives reboots but does NOT persist through upgrades — full patching is required.
  • ·CVE-2023-35082 is a distinct but related authentication bypass affecting all versions of EPMM 11.10, 11.9, and 11.8, and MobileIron Core 11.7 and below — detection coverage should include both CVEs.
  • ·Limited forensic logging on impacted EPMM systems delayed full scope assessment — defenders should ensure enhanced logging is enabled on EPMM appliances prior to any incident.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.