Cyber Resilience

CVE-2023-35078

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 25 July 2023

Published
25 July 2023
Modified
31 October 2025
KEV Added
25 July 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35078 is a critical-severity Improper Authentication (CWE-287) vulnerability in Ivanti Endpoint Manager Mobile. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

An authentication bypass vulnerability tracked as CVE-2023-35078 affects Ivanti Endpoint Manager Mobile (EPMM). The flaw, assigned CWE-287, permits remote attackers to reach restricted application functionality or resources without supplying valid credentials, resulting in a CVSS 3.1 base score of 9.8.

Unauthenticated attackers on the network can exploit the issue to obtain unauthorized API access and potentially compromise the confidentiality, integrity, and availability of the mobile-device management platform. No user interaction or elevated privileges are required for successful exploitation.

Ivanti has published security updates that address the vulnerability, and CISA has issued an alert directing organizations to apply the vendor patches promptly. Multiple Ivanti knowledge-base articles provide additional guidance on identifying affected versions and implementing the fixes.

The associated EPSS score has reached a peak of 0.9711 with a current value of 0.9444, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.

CWE(s)
KEV Date Added
25 July 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
endpoint manager mobile
≤ 11.8.1.1 · 11.9.0 — 11.9.1.1 · 11.10 — 11.10.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and access-control decisions before any restricted EPMM functionality or API endpoints can be reached.

prevent

Mandates identification and authentication of users prior to granting access, eliminating the unauthenticated entry point exploited by CVE-2023-35078.

prevent

Requires prompt application of vendor patches that remediate the authentication-bypass flaw (CWE-287) in Ivanti EPMM.

References