Cyber Resilience

CVE-2023-38035

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 21 August 2023

Published
21 August 2023
Modified
31 October 2025
KEV Added
22 August 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9442 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38035 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Ivanti Mobileiron Sentry. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2023-38035 is an authentication bypass vulnerability in the MICS Admin Portal component of Ivanti MobileIron Sentry versions 9.18.0 and earlier. The flaw stems from an insufficiently restrictive Apache HTTPD configuration that fails to enforce proper access controls, corresponding to CWE-863.

Unauthenticated attackers with network access can exploit the issue to bypass authentication on the administrative interface, potentially gaining full control over the Sentry instance. With a CVSS score of 9.8, the vulnerability allows remote attackers to achieve high-impact outcomes including confidentiality, integrity, and availability compromises without requiring credentials or user interaction.

Ivanti advisory information and CISA listings direct administrators to apply available patches or configuration updates for affected Sentry deployments. Public references also include proof-of-concept material demonstrating authentication bypass leading to remote code execution.

The vulnerability appears in CISA's known exploited vulnerabilities catalog, and its EPSS score has reached a peak of 0.9751 with a current value of 0.9442, indicating sustained exploitation interest.

EU & UK References

Vulnerability details

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

CWE(s)
KEV Date Added
22 August 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
mobileiron sentry
≤ 9.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and access-control policy on the admin portal, blocking the described bypass of Apache HTTPD restrictions.

prevent

Requires hardened, restrictive configuration settings for the Apache HTTPD component whose insufficient restrictions enable the authentication bypass.

prevent

Mandates identification and authentication of organizational users before any administrative interface access is granted, directly countering the unauthenticated bypass path.

References