cbcvebase.
CVE-2023-35082
published 2023-08-15

CVE-2023-35082: An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-08
Exploited in the wild
EPSS
100.00%
100.0th percentile
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager_mobile< 11.11.011.11.0
ivantiepmm

Detection & IOCsextracted from sources · hover to see the quote

url/mifs/asfV3/api/v2/admins/users
path/mifs/asfV3/api/v2/
path/mifs/aad/api/v2/
otherhttp.favicon.hash:362091310
othericon_hash="362091310"
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35082 Check/Exploitation Attempt"; flow:established,to_server; http.uri; content:"/mifs/asfV3/api/v2/"; startswith; threshold:type limit, count 5, seconds 300, track by_src; reference:url,www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/; reference:cve,2023-35082; classtype:attempted-admin; sid:2047055; rev:2; metadata:affected_product Ivanti, attack_target Web_Server, created_at 2023_08_03, cve CVE_2023_35082, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_18, reviewed_at 2024_10_01; target:dest_ip;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Ivanti Endpoint Manager Mobile CVE-2023-35078 Check/Exploitation Attempt"; flow:established,to_server; http.uri; content:"/mifs/aad/api/v2/"; startswith; threshold:type limit, count 5, seconds 300, track by_src; reference:url,www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/; reference:cve,2023-35078; classtype:attempted-admin; sid:2047054; rev:2; metadata:affected_product Ivanti, attack_target Web_Server, created_at 2023_08_03, cve CVE_2023_35078, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_18, reviewed_at 2024_10_01; target:dest_ip;)
  • Exploit requests target the unauthenticated API path /mifs/asfV3/api/v2/admins/users via HTTP GET; a successful hit returns HTTP 200 with a JSON body containing the fields 'results', 'userId', and 'name', and a Content-Type header of 'application/json'.
  • Ivanti EPMM / MobileIron Core servers can be fingerprinted via favicon hash 362091310 on Shodan or FOFA, enabling proactive asset identification before exploitation attempts.
  • CVE-2023-35082 can be chained with CVE-2023-35081 to escalate impact; monitor for exploitation of both vulnerabilities together.
  • This vulnerability is known to be used in ransomware campaigns; treat any successful exploitation as a high-severity incident requiring immediate containment.
  • ·Ivanti's investigation found additional exploitation paths depending on the configuration of the EPMM appliance, expanding the affected scope beyond the initially disclosed version 11.2 and prior.
  • ·CVE-2023-35082 was initially believed to be resolved incidentally in MobileIron Core 11.3 as part of a product bug fix, but was later confirmed to affect all EPMM 11.10, 11.9, 11.8 and MobileIron Core 11.7 and below.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.