CVE-2023-35082
Published: 15 August 2023
Summary
CVE-2023-35082 is a critical-severity Improper Authentication (CWE-287) vulnerability in Ivanti Endpoint Manager Mobile. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
An authentication bypass vulnerability tracked as CVE-2023-35082 affects Ivanti EPMM versions 11.10 and older, as well as the related MobileIron Core product in versions 11.2 and older. The flaw, assigned CWE-287, permits remote attackers to reach restricted application functionality or resources without presenting valid credentials and is described as distinct from the earlier CVE-2023-35078 issue. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required privileges or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker can directly invoke APIs or other restricted endpoints to obtain unauthorized access to sensitive management functions or data within the affected endpoint-management platform. Because the vulnerability requires no authentication, any internet-reachable instance is potentially reachable by external adversaries seeking to compromise device-management infrastructure.
Ivanti has published guidance on the remote unauthenticated API access issue in its support forums, while CISA has added the CVE to its catalog of known exploited vulnerabilities, indicating that mitigation steps such as applying vendor patches or configuration changes are addressed in those advisories.
The vulnerability shows a very high EPSS score with a current value of 0.9440 and a recorded peak of 0.9685, and its presence in the CISA KEV catalog confirms observed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39117
Vulnerability details
An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.
- CWE(s)
- KEV Date Added
- 18 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication decisions to block the unauthenticated API access path exploited by CVE-2023-35082.
Requires unique identification and authentication of users before granting access to the EPMM management functions targeted by the bypass.
Mandates prompt installation of vendor patches that remediate the authentication flaw in Ivanti EPMM 11.10 and older.