US Cybersecurity and Infrastructure Security Agency (CISA) added actively exploited Ivanti ‘s Endpoint Manager Mobile (EPMM) vulnerability, tracked as CVE-2023-35078, to its Known Exploited Vulnerabilities Catalog.
The vulnerability is an authentication bypass issue impacting Ivanti Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core).
An unauthorized user can exploit the flaw to access restricted functionality or resources of the application without proper authentication.
“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.” reads the advisory published by the software firm. “We have received information from a credible source indicating exploitation has occurred. We continue to work with our customers and partners to investigate this situation.”
This vulnerability impacts all supported versions (Version 11.4 releases 11.10, 11.9 and 11.8), but the company pointed out that older versions/releases are also at risk.
The IT software giant addressed the flaw this week with the release of EPMM 22.214.171.124, 126.96.36.199, and 188.8.131.52 patches.
Ivanti confirmed that the vulnerability is critical and urges customers to immediately address it.
“It’s a serious zero day vulnerability which is very easy to exploit, where Ivanti are trying to hide it for some reason – this will get mass internet swept. I’d strongly recommend upgrading, and if you can’t get off EOL, switch off the appliance.” wrote the popular researchers Kevin Beaumont on Mastodon.
The zero-day vulnerability was exploited by threat actors in recent attacks against the ICT platform used by twelve ministries of the Norwegian government.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this flaw by August 15, 2023.
(SecurityAffairs – hacking, Ivanti)