CVE-2023-35082
published 2023-08-15CVE-2023-35082: An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-08
Exploited in the wild
EPSS
100.00%
100.0th percentile
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager_mobile | < 11.11.0 | 11.11.0 |
| ivanti | epmm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/mifs/asfV3/api/v2/
path/mifs/aad/api/v2/
otherhttp.favicon.hash:362091310
othericon_hash="362091310"
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35082 Check/Exploitation Attempt"; flow:established,to_server; http.uri; content:"/mifs/asfV3/api/v2/"; startswith; threshold:type limit, count 5, seconds 300, track by_src; reference:url,www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/; reference:cve,2023-35082; classtype:attempted-admin; sid:2047055; rev:2; metadata:affected_product Ivanti, attack_target Web_Server, created_at 2023_08_03, cve CVE_2023_35082, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_18, reviewed_at 2024_10_01; target:dest_ip;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35078 Check/Exploitation Attempt"; flow:established,to_server; http.uri; content:"/mifs/aad/api/v2/"; startswith; threshold:type limit, count 5, seconds 300, track by_src; reference:url,www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/; reference:cve,2023-35078; classtype:attempted-admin; sid:2047054; rev:2; metadata:affected_product Ivanti, attack_target Web_Server, created_at 2023_08_03, cve CVE_2023_35078, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_18, reviewed_at 2024_10_01; target:dest_ip;)
- →Exploit requests target the unauthenticated API path /mifs/asfV3/api/v2/admins/users via HTTP GET; a successful hit returns HTTP 200 with a JSON body containing the fields 'results', 'userId', and 'name', and a Content-Type header of 'application/json'.
- →Ivanti EPMM / MobileIron Core servers can be fingerprinted via favicon hash 362091310 on Shodan or FOFA, enabling proactive asset identification before exploitation attempts.
- →CVE-2023-35082 can be chained with CVE-2023-35081 to escalate impact; monitor for exploitation of both vulnerabilities together. ↗
- →This vulnerability is known to be used in ransomware campaigns; treat any successful exploitation as a high-severity incident requiring immediate containment. ↗
- ·Ivanti's investigation found additional exploitation paths depending on the configuration of the EPMM appliance, expanding the affected scope beyond the initially disclosed version 11.2 and prior. ↗
- ·CVE-2023-35082 was initially believed to be resolved incidentally in MobileIron Core 11.3 as part of a product bug fix, but was later confirmed to affect all EPMM 11.10, 11.9, 11.8 and MobileIron Core 11.7 and below. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w2p6-rj4r-fqxv: An authentication bypass vulnerability in Ivanti EPMM 11
ghsa_unreviewed·2023-08-15·CVSS 9.8
CVE-2023-35082 [CRITICAL] CWE-287 GHSA-w2p6-rj4r-fqxv: An authentication bypass vulnerability in Ivanti EPMM 11
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.
VulnCheck
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-35082 [CRITICAL] CWE-287 Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.
Affected: Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2023-35082; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-16&host_type=src&vulner
Ivanti
Ivanti EPMM Remote Unauthenticated API Access (MobileIron Core)
vendor_ivanti·2024-01-18·CVSS 9.8
CVE-2023-35082 [CRITICAL] Ivanti EPMM Remote Unauthenticated API Access (MobileIron Core)
Ivanti EPMM Remote Unauthenticated API Access (MobileIron Core)
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.
CVE IDs: CVE-2023-35082
Affected products: EPMM, MobileIron
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2024-02-08
Known to be used in ransomware campaigns.
CISA
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability
cisa·2024-01-18·CVSS 9.8
CVE-2023-35082 [CRITICAL] CWE-287 Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability
Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability
Affected: Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older; https://nvd.nist.gov/vuln/detail/CVE-2023-35082
Remediation Due Date: 2024-02-08
Suricata
ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35078 Check/Exploitation Attempt
suricata·2023-08-03·CVSS 9.8
CVE-2023-35078 [CRITICAL] ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35078 Check/Exploitation Attempt
ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35078 Check/Exploitation Attempt
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35078 Check/Exploitation Attempt"; flow:established,to_server; http.uri; content:"/mifs/aad/api/v2/"; startswith; threshold:type limit, count 5, seconds 300, track by_src; reference:url,www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/; reference:cve,2023-35078; classtype:attempted-admin; sid:2047054; rev:2; metadata:affected_product Ivanti, attack_target Web_Server, created_at 2023_08_03, cve CVE_2023_35078, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Low, signatur
Suricata
ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35082 Check/Exploitation Attempt
suricata·2023-08-03·CVSS 9.8
CVE-2023-35082 [CRITICAL] ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35082 Check/Exploitation Attempt
ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35082 Check/Exploitation Attempt
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35082 Check/Exploitation Attempt"; flow:established,to_server; http.uri; content:"/mifs/asfV3/api/v2/"; startswith; threshold:type limit, count 5, seconds 300, track by_src; reference:url,www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/; reference:cve,2023-35082; classtype:attempted-admin; sid:2047055; rev:2; metadata:affected_product Ivanti, attack_target Web_Server, created_at 2023_08_03, cve CVE_2023_35082, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low
Nuclei
MobileIron Core - Remote Unauthenticated API Access
nuclei·CVSS 9.8
CVE-2023-35082 [CRITICAL] MobileIron Core - Remote Unauthenticated API Access
MobileIron Core - Remote Unauthenticated API Access
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain.
Template:
id: CVE-2023-35082
info:
name: MobileIron Core - Remote Unauthenticated API Access
author: DhiyaneshDk
severity: critical
description: |
Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain.
impact: |
Remote attackers can exploit this vulnerability to gain unauthorized access to sensitive data and perform mal
Tenable
CVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited
blogs_tenable·2026-01-30·CVSS 9.8
[CRITICAL] CVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA: Critical Ivanti auth bypass bug now actively exploited
blogs_bleepingcomputer·2024-01-18·CVSS 9.8
CVE-2023-35082 [CRITICAL] CISA: Critical Ivanti auth bypass bug now actively exploited
## CISA: Critical Ivanti auth bypass bug now actively exploited
## Sergiu Gatlan
CISA warns that a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) and MobileIron Core device management software (patched in August 2023 ) is now under active exploitation.
Tracked as CVE-2023-35082 , the flaw is a remote unauthenticated API access vulnerability affecting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below,.
Successful exploitation provides attackers access to personally identifiable information (PII) of mobile device users and can let them backdoor compromised servers when chaining the bug with other flaws.
"Ivanti has an RPM script available now. We recommend customers first upgrade to a supported version and then apply t
Unit42
Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
blogs_unit42·2023-07-29·CVSS 9.8
CVE-2023-35078 [CRITICAL] Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
Unit 42
Published: July 28, 2023
High Profile Threats
Vulnerabilities
API attacks
CVE-2023-32560
CVE-2023-35078
CVE-2023-35081
CVE-2023-35082
CVE-2023-38035
Ivanti
Zero-day
## Executive Summary
Update: As of August 23, over the last three weeks this incident has developed with three additional vulnerabilities discovered in Ivanti products. The first in MobileIron Core (CVE-2023-35082; the main topic of this threat brief post when first published in July), a second vulnerability discovered in the Ivanti Avalanche product (CVE-2023-32560), and the third in
Unit42
Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
blogs_unit42·2023-07-29·CVSS 9.8
CVE-2023-35078 [CRITICAL] Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
## Executive Summary
Update: As of August 23, over the last three weeks this incident has developed with three additional vulnerabilities discovered in Ivanti products. The first in MobileIron Core (CVE-2023-35082; the main topic of this threat brief post when first published in July), a second vulnerability discovered in the Ivanti Avalanche product (CVE-2023-32560), and the third in the Ivanti Sentry product (CVE-2023-38035).
On July 24, 2023, Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, publicly disclosed details about an unauthenticated API access zero-day vulnerability. CVE-2023-35078 affects versions 11.10, 11.9 and 11.8, but older versions are also at risk of possible exploitation.
At the time of writing, the only confirmed victims have been Norwegi
Greynoiseio
The Tenth Day Of Tagsmas (2023): Three Critical Vulnerabilities in Ivanti (MobileIron) Products (CVE-2023-38035 / CVE-2023-35078 / CVE-2023-35082)
blogs_greynoiseio·CVSS 9.8
[CRITICAL] The Tenth Day Of Tagsmas (2023): Three Critical Vulnerabilities in Ivanti (MobileIron) Products (CVE-2023-38035 / CVE-2023-35078 / CVE-2023-35082)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_UShttps://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_UShttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35082
2023-08-15
Published
2024-01-18
Added to CISA KEV
Exploited in the wild