Governments scramble to patch Ivanti Endpoint Manager Mobile security flaw

Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, has a serious security flaw that has already led to the compromise of government systems in Norway, the company confirmed today. The flaw, according to the company, involves a possible bypass of the system's user authentication, letting remote attackers access some EPMM functions and resources. Classified as CVE-2023-35078, the vulnerability was given a CVSS score of 10 out of a possible 10.

Authentication flaw allows access to API paths

The US Cybersecurity and Infrastructure Security Agency (CISA) stated that the issue has to do with vulnerable API paths. Attackers gaining access to those paths via the authentication flaw can extract personally identifiable information (PII) and even create EPMM administrative accounts to further exploit their access, CISA said.

"We have received information from a credible source indicating that exploitation has occurred," Ivanti said in a short statement. "We continue to work with our customers and partners to investigate this situation."

A request for comment on whether the vulnerability is being exploited in the US was not immediately returned by CISA, but reports say that nearly 3,000 user portals of the type affected by the vulnerability were visible to the Shodan online scanning platform, including several that were identified with US government agencies.

The flaw is present in EPMM version 11.4 releases 11.10, 11.9, and 11.8, Ivanti said. Further details about the vulnerability appear to be available only to Ivanti customers, as a knowledgebase article on the subject currently requires a customer login and a request for comment did not draw an immediate response from the company.

Ivanti EPMM vulnerability exploited in Norway

Whatever its exact nature, however, the vulnerability has already been actively exploited in Norway, according to a statement from the Norwegian Security and Service Organization issued yesterday. The organization said that, while the remote access vulnerability has been patched, some mobile services like remote email access are offline as a result, and that law enforcement is investigating the incident. Norway's National Cyber Security Center also issued a statement about the vulnerability, saying that it had urged all potentially vulnerable users to apply the latest patches as quickly as possible and was working to notify Norwegian businesses directly.

The Norwegian government has not yet identified any actors or groups that used the vulnerability to access its systems but reiterated that an investigation is ongoing.