cbcvebase.
CVE-2023-35081
published 2023-08-03

CVE-2023-35081: A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to…

PriorityP183high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-08-21
Exploited in the wild
EPSS
63.32%
99.1th percentile
A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance.

Affected

5 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager_mobile>= 11.10.0 < 11.10.0.311.10.0.3
ivantiendpoint_manager_mobile>= 11.8.0 < 11.8.1.211.8.1.2
ivantiendpoint_manager_mobile>= 11.9.0 < 11.9.1.211.9.1.2
ivantiepmm
ivantiepmm>= 11.10.0.3 < 11.10.0.311.10.0.3

Detection & IOCsextracted from sources · hover to see the quote

otherJSP files written to disk
otherJava .class files written to disk
  • CVE-2023-35081 is chained with CVE-2023-35078 (authentication bypass) to bypass authentication and ACL restrictions before writing arbitrary files; detections should look for unauthenticated API access followed by file write activity.
  • Attackers used CVE-2023-35081 to write JSP and Java .class files to the EPMM appliance disk — monitor the EPMM server filesystem for unexpected .jsp and .class file creation, especially in web-accessible directories.
  • Use Tenable Nessus plugin IDs 141340 (MobileIron Core Detection) and 141341 (MobileIron Core API Detection) to identify exposed EPMM assets in the environment.
  • CISA and NCSC-NO joint advisory AA23-213A contains IOCs and TTPs from real-world exploitation of CVE-2023-35078 and CVE-2023-35081 against Norwegian government organizations — review for network-level indicators.
  • Limited forensic logging on impacted EPMM systems was observed — ensure verbose logging is enabled on EPMM appliances to support detection and incident response.
  • ·CVE-2023-35081 requires an authenticated administrator session to exploit directly; however, when chained with CVE-2023-35078 (authentication bypass), no valid credentials are needed — detections must account for the chained attack path.
  • ·Unsupported EPMM versions prior to 11.8.1.1 are also affected by CVE-2023-35081 and may not receive patches — these systems remain persistently vulnerable.
  • ·CVE-2023-35081 is listed in the CISA Known Exploited Vulnerabilities catalog with a remediation due date of 2023-08-21, confirming active in-the-wild exploitation.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.