CVE-2023-35081
published 2023-08-03CVE-2023-35081: A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to…
PriorityP183high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-08-21
Exploited in the wild
EPSS
63.32%
99.1th percentile
A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager_mobile | >= 11.10.0 < 11.10.0.3 | 11.10.0.3 |
| ivanti | endpoint_manager_mobile | >= 11.8.0 < 11.8.1.2 | 11.8.1.2 |
| ivanti | endpoint_manager_mobile | >= 11.9.0 < 11.9.1.2 | 11.9.1.2 |
| ivanti | epmm | — | — |
| ivanti | epmm | >= 11.10.0.3 < 11.10.0.3 | 11.10.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-35081 is chained with CVE-2023-35078 (authentication bypass) to bypass authentication and ACL restrictions before writing arbitrary files; detections should look for unauthenticated API access followed by file write activity. ↗
- →Attackers used CVE-2023-35081 to write JSP and Java .class files to the EPMM appliance disk — monitor the EPMM server filesystem for unexpected .jsp and .class file creation, especially in web-accessible directories. ↗
- →Use Tenable Nessus plugin IDs 141340 (MobileIron Core Detection) and 141341 (MobileIron Core API Detection) to identify exposed EPMM assets in the environment. ↗
- →CISA and NCSC-NO joint advisory AA23-213A contains IOCs and TTPs from real-world exploitation of CVE-2023-35078 and CVE-2023-35081 against Norwegian government organizations — review for network-level indicators. ↗
- →Limited forensic logging on impacted EPMM systems was observed — ensure verbose logging is enabled on EPMM appliances to support detection and incident response. ↗
- ·CVE-2023-35081 requires an authenticated administrator session to exploit directly; however, when chained with CVE-2023-35078 (authentication bypass), no valid credentials are needed — detections must account for the chained attack path. ↗
- ·Unsupported EPMM versions prior to 11.8.1.1 are also affected by CVE-2023-35081 and may not receive patches — these systems remain persistently vulnerable. ↗
- ·CVE-2023-35081 is listed in the CISA Known Exploited Vulnerabilities catalog with a remediation due date of 2023-08-21, confirming active in-the-wild exploitation. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti EPMM Remote Arbitrary File Write
vendor_ivanti·2023-07-31·CVSS 7.2
CVE-2023-35081 [CRITICAL] Ivanti EPMM Remote Arbitrary File Write
Ivanti EPMM Remote Arbitrary File Write
Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078 to bypass authentication and ACLs restrictions (if applicable).
CVE IDs: CVE-2023-35081
Affected products: EPMM, MobileIron
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2023-08-21
CISA
Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability
cisa·2023-07-31·CVSS 9.8
CVE-2023-35081 [CRITICAL] CWE-22 Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability
Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078 to bypass authentication and ACLs restrictions (if applicable).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US; https://nvd.nist.gov/vuln/detail/CVE-2023-35081
Remediation Due Date: 2023-08-21
GHSA
GHSA-8cjr-8gr7-ccg3: A path traversal vulnerability in Ivanti EPMM versions (11
ghsa_unreviewed·2023-08-03
CVE-2023-35081 [HIGH] CWE-22 GHSA-8cjr-8gr7-ccg3: A path traversal vulnerability in Ivanti EPMM versions (11
A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance.
VulnCheck
Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-35081 [CRITICAL] CWE-22 Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078 to bypass authentication and ACLs restrictions (if applicable).
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cisa.gov/news-events/alerts/2023/07/28/ivanti-releases-security-updates-epmm-address-cve-2023-35081; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/ale
VulnCheck
Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-35078 [CRITICAL] CWE-287 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability
Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability
Ivanti Endpoint Manager Mobile (EPMM, previously branded MobileIron Core) contains an authentication bypass vulnerability that allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices.
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploit
No detection rules found.
No public exploits indexed.
Tenable
CVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited
blogs_tenable·2026-01-30·CVSS 9.8
[CRITICAL] CVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti warns of critical flaws in its Avalanche MDM solution
blogs_bleepingcomputer·2024-04-16·CVSS 9.8
[CRITICAL] Ivanti warns of critical flaws in its Avalanche MDM solution
## Ivanti warns of critical flaws in its Avalanche MDM solution
## Sergiu Gatlan
Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution.
Avalanche is used by enterprise admins to remotely manage, deploy software, and schedule updates across large fleets of over 100,000 mobile devices from a single central location.
As the company explained on Wednesday, the two critical security flaws (CVE-2024-24996 and CVE-2024-29204) were found in Avalanche's WLInfoRailService and WLAvalancheService components.
They are both caused by heap-based buffer overflow weaknesses, which can let unauthenticated remote attackers execute arbitrary commands on
Bleepingcomputer
CISA: Critical Ivanti auth bypass bug now actively exploited
blogs_bleepingcomputer·2024-01-18·CVSS 9.8
CVE-2023-35082 [CRITICAL] CISA: Critical Ivanti auth bypass bug now actively exploited
## CISA: Critical Ivanti auth bypass bug now actively exploited
## Sergiu Gatlan
CISA warns that a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) and MobileIron Core device management software (patched in August 2023 ) is now under active exploitation.
Tracked as CVE-2023-35082 , the flaw is a remote unauthenticated API access vulnerability affecting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below,.
Successful exploitation provides attackers access to personally identifiable information (PII) of mobile device users and can let them backdoor compromised servers when chaining the bug with other flaws.
"Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply t
Bleepingcomputer
Ivanti Connect Secure zero-days now under mass exploitation
blogs_bleepingcomputer·2024-01-15·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti Connect Secure zero-days now under mass exploitation
## Ivanti Connect Secure zero-days now under mass exploitation
## Sergiu Gatlan
Two zero-day vulnerabilities affecting Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) appliances are now under mass exploitation.
As discovered by threat intelligence company Volexity, which also first spotted the zero-days being used in attacks since December , multiple threat groups chain the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities in widespread attacks starting January 11.
"Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals," Volexity warned today.
The attackers backdo
Bleepingcomputer
Ivanti warns of Connect Secure zero-days exploited in attacks
blogs_bleepingcomputer·2024-01-10·CVSS 8.2
CVE-2023-46805 [HIGH] Ivanti warns of Connect Secure zero-days exploited in attacks
## Ivanti warns of Connect Secure zero-days exploited in attacks
## Sergiu Gatlan
Ivanti has disclosed two Connect Secure (ICS) and Policy Secure (IPS) zero-days exploited by suspected Chinese hackers in the wild that can let remote attackers execute arbitrary commands on targeted gateways.
The first security flaw (CVE-2023-46805) is an authentication bypass in the appliances' web component, enabling attackers to access restricted resources by circumventing control checks, while the second (tracked as CVE-2024-21887) is a command injection vulnerability that lets authenticated admins execute arbitrary commands on vulnerable appliances by sending specially crafted requests.
When successfully chaining the two zero days, threat actors can run arbitrary commands on all supported versions o
Bleepingcomputer
Ivanti warns critical EPM bug lets hackers hijack enrolled devices
blogs_bleepingcomputer·2024-01-04·CVSS 9.8
CVE-2023-39336 [CRITICAL] Ivanti warns critical EPM bug lets hackers hijack enrolled devices
## Ivanti warns critical EPM bug lets hackers hijack enrolled devices
## Sergiu Gatlan
Ivanti fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers hijack enrolled devices or the core server.
Ivanti EPM helps manage client devices running a wide range of platforms, from Windows and macOS to Chrome OS and IoT operating systems.
The security flaw (tracked as CVE-2023-39336 ) impacts all supported Ivanti EPM versions, and it has been resolved in version 2022 Service Update 5.
Attackers with access to a target's internal network can exploit the vulnerability in low-complexity attacks that don't require privileges or user interaction.
"If exploited, an attacker with access to the internal network can lev
Bleepingcomputer
Ivanti releases patches for 13 critical Avalanche RCE flaws
blogs_bleepingcomputer·2023-12-20·CVSS 9.8
[CRITICAL] Ivanti releases patches for 13 critical Avalanche RCE flaws
## Ivanti releases patches for 13 critical Avalanche RCE flaws
## Sergiu Gatlan
Ivanti has released security updates to fix 13 critical security vulnerabilities in the company's Avalanche enterprise mobile device management (MDM) solution.
Avalanche allows admins to manage over 100,000 mobile devices from a single, central location over the Internet, deploy software, and schedule updates.
As Ivanti explained on Wednesday, these security flaws are due to WLAvalancheService stack or heap-based buffer overflow weaknesses reported by Tenable security researchers and Trend Micro's Zero Day Initiative.
Unauthenticated attackers can exploit them in low-complexity attacks that don't require user interaction to gain remote code execution on unpatched systems.
"An attacker sending specially c
Tenable
CVE-2023-38035: Ivanti Sentry API Authentication Bypass Zero-Day Exploited in the Wild
blogs_tenable·2023-08-22·CVSS 9.8
[CRITICAL] CVE-2023-38035: Ivanti Sentry API Authentication Bypass Zero-Day Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
blogs_unit42·2023-07-29·CVSS 9.8
CVE-2023-35078 [CRITICAL] Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
Unit 42
Published: July 28, 2023
High Profile Threats
Vulnerabilities
API attacks
CVE-2023-32560
CVE-2023-35078
CVE-2023-35081
CVE-2023-35082
CVE-2023-38035
Ivanti
Zero-day
## Executive Summary
Update: As of August 23, over the last three weeks this incident has developed with three additional vulnerabilities discovered in Ivanti products. The first in MobileIron Core (CVE-2023-35082; the main topic of this threat brief post when first published in July), a second vulnerability discovered in the Ivanti Avalanche product (CVE-2023-32560), and the third in
Unit42
Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
blogs_unit42·2023-07-29·CVSS 9.8
CVE-2023-35078 [CRITICAL] Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
## Executive Summary
Update: As of August 23, over the last three weeks this incident has developed with three additional vulnerabilities discovered in Ivanti products. The first in MobileIron Core (CVE-2023-35082; the main topic of this threat brief post when first published in July), a second vulnerability discovered in the Ivanti Avalanche product (CVE-2023-32560), and the third in the Ivanti Sentry product (CVE-2023-38035).
On July 24, 2023, Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, publicly disclosed details about an unauthenticated API access zero-day vulnerability. CVE-2023-35078 affects versions 11.10, 11.9 and 11.8, but older versions are also at risk of possible exploitation.
At the time of writing, the only confirmed victims have been Norwegi
Tenable
CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability
blogs_tenable·2023-07-25·CVSS 9.8
[CRITICAL] CVE-2023-35078: Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
The Tenth Day Of Tagsmas (2023): Three Critical Vulnerabilities in Ivanti (MobileIron) Products (CVE-2023-38035 / CVE-2023-35078 / CVE-2023-35082)
blogs_greynoiseio·CVSS 9.8
[CRITICAL] The Tenth Day Of Tagsmas (2023): Three Critical Vulnerabilities in Ivanti (MobileIron) Products (CVE-2023-38035 / CVE-2023-35078 / CVE-2023-35082)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Huntress
Ivanti mass zero-day exploits Data Breach: What Happened, Impact, and Lessons | Huntress
blogs_huntress
Ivanti mass zero-day exploits Data Breach: What Happened, Impact, and Lessons | Huntress
## Ivanti Data Breach
Published: 12/16/2025
Written by: Lizzie Danielson
When vulnerabilities go unpatched, cybercriminals are quick to exploit the gap—and that's exactly what happened with the Ivanti mass zero-day exploits. This breach targeted government and enterprise systems globally, leveraging unpatched vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM). The outcome? Sensitive data exposure, operational disruption, and heightened scrutiny on patch management practices.
## Ivanti data breach explained: what happened?
The Ivanti mass zero-day exploits were discovered in mid-2023, exposing critical vulnerabilities in the EPMM platform. These vulnerabilities allowed attackers to gain unauthorized access to sensitive information and potentially disrupt operations. The breach
2023-08-03
Published
2023-07-31
Added to CISA KEV
Exploited in the wild