Urgent Security Alert: Critical Ivanti EPMM Vulnerability (CVE-2023-35082) Under Active Attack
Cybersecurity officials are sounding the alarm over a critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a widely used enterprise mobility management platform formerly known as MobileIron Core. This flaw, tracked as CVE-2023-35082, is being actively exploited by malicious actors in the wild, prompting an urgent call for administrators to take immediate action.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, a clear signal of the serious and ongoing threat it poses to both government and private sector organizations. If your organization uses Ivanti EPMM, this is a critical threat that requires your immediate attention.
What is the Ivanti EPMM Vulnerability?
At its core, CVE-2023-35082 is a remote unauthenticated API access vulnerability. In simple terms, this means an attacker does not need valid credentials, such as a username and password, to gain access to sensitive parts of the system. This makes it incredibly easy for threat actors to target and compromise unpatched servers from anywhere in the world.
The flaw allows an unauthorized actor to access personally identifiable information (PII) and make configuration changes to the vulnerable server. The potential for damage is significant, as a successful exploit can lead to a major data breach and further network compromise.
The Real-World Impact: What’s at Risk?
A successful exploit of this vulnerability grants attackers a powerful foothold into your network’s mobile device management system. Here’s what’s at stake:
- Exposure of Sensitive Data: Attackers can directly access and exfiltrate personally identifiable information (PII) stored on the server. This includes user names, phone numbers, and other details about the mobile devices connected to your network.
- Unauthorized System Changes: Malicious actors can alter the configuration of the EPMM server, potentially disabling security features, creating rogue admin accounts, or redirecting traffic.
- A Gateway for Deeper Attacks: Once they have control of the EPMM server, attackers can use it as a launchpad to move laterally across your network, targeting other critical systems and escalating their privileges.
This is not a theoretical threat. The vulnerability has already been leveraged in targeted attacks, including against Norwegian government ministries, demonstrating that sophisticated actors are actively using it to achieve their objectives.
A Dangerous Combination: Chaining Vulnerabilities
This threat is further amplified because attackers are often “chaining” CVE-2023-35082 with another recent Ivanti vulnerability, CVE-2023-35078. By using these two flaws in tandem, attackers can bypass security checks and write malicious files to the server, potentially leading to complete system takeover and remote code execution. This two-step attack significantly increases the severity of the initial breach.
Immediate Steps to Protect Your Organization
Given the active exploitation of this flaw, complacency is not an option. CISA and other cybersecurity experts urge all organizations using Ivanti EPMM to take the following steps without delay:
Patch Immediately: The single most important action is to apply the security patches provided by Ivanti. The vendor has released updated versions of the software that remediate this vulnerability. Delaying this process leaves your organization exposed to a known and active threat.
Hunt for Signs of Compromise: Do not assume your system is safe just because you’ve applied the patch. Attackers may have already breached your server before the patch was installed. Investigate your systems for any indicators of compromise (IoCs), such as unusual file creations, unexpected configuration changes, or suspicious outbound network traffic.
Review Access Logs: Carefully analyze your server’s API authentication and access logs. Look for any unusual or unauthorized activity, especially from unknown IP addresses. This can help you determine if your server was targeted or compromised.
Strengthen Your Security Posture: Use this incident as an opportunity to review and harden your overall security posture. Ensure your device management platforms are not unnecessarily exposed to the public internet and that all administrative access is protected by multi-factor authentication (MFA).
The active exploitation of CVE-2023-35082 represents a clear and present danger to organizations relying on Ivanti EPMM. The time to act is now. Prioritize patching, investigate for potential compromise, and secure your systems to prevent a devastating data breach.
Source: https://securityaffairs.com/182350/malware/cisa-warns-of-malware-deployed-through-ivanti-epmm-flaws.html
