Urgent Warning: CISA Flags Critical Ivanti EPMM Vulnerability Actively Exploited in Attacks

The digital landscape is a constant battlefield, and organizations relying on Mobile Device Management (MDM) solutions face persistent threats. A recent alert from the Cybersecurity and Infrastructure Security Agency (CISA) underscores this reality, highlighting a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This flaw, officially tracked as CVE-2023-35078, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming its active exploitation in real-world cyberattacks. This isn’t theoretical; threat actors are leveraging this vulnerability right now.

Understanding the Threat: CVE-2023-35078 Explained

The vulnerability, CVE-2023-35078, is a pre-authentication remote code execution (RCE) vulnerability stemming from an authentication bypass. This means an unauthenticated attacker can bypass security measures to execute arbitrary code on the affected Ivanti EPMM instance. Typically, such vulnerabilities allow attackers to:

• Gain unauthorized access to sensitive corporate data managed by the EPMM server.
• Take full control of the EPMM server, potentially using it as a pivot point to compromise other systems within the network.
• Install malware, spy on users, or disrupt operations.

The severity of this flaw is compounded by the fact that it affects a system responsible for managing and securing mobile devices across an organization. A successful exploitation could lead to widespread data breaches, operational disruption, and significant reputational damage.

Why CISA’s KEV Catalog Listing Matters

When CISA adds a vulnerability to its KEV catalog, it signifies a heightened level of danger. This catalog lists vulnerabilities that have been confirmed as actively exploited in the wild. For federal civilian executive branch agencies, this listing triggers a mandatory remediation timeline, typically within a few weeks, to address the vulnerability. However, the KEV catalog also serves as a critical warning to all organizations, urging them to prioritize patching and mitigation efforts immediately.

The inclusion of CVE-2023-35078 indicates that threat actors are actively scanning for and exploiting unpatched Ivanti EPMM instances. Organizations using this product should treat this advisory with the utmost urgency.

Remediation Actions and Mitigations

Given the critical nature and active exploitation of CVE-2023-35078, immediate action is paramount. Ivanti has released patches to address this vulnerability. Organizations using Ivanti EPMM must:

• Immediately Apply Patches: Refer to Ivanti’s official security advisories and promptly apply the recommended patches for all affected versions of Ivanti EPMM.
• Isolate and Segment: Implement network segmentation to limit the potential blast radius if an EPMM server is compromised.
• Monitor Logs for Suspicious Activity: Scrutinize Ivanti EPMM server logs for any unusual access patterns, unauthorized command execution, or other indicators of compromise (IOCs).
• Review Access Controls: Ensure that only necessary personnel have administrative access to the EPMM instance and review configurations for least privilege principles.
• Perform Authentication Audits: Regularly audit authentication logs and mechanisms to detect brute-force attempts or other authentication bypass techniques.
• Conduct Vulnerability Scans: Use specialized vulnerability scanners to identify any unpatched instances of Ivanti EPMM within your environment.

Recommended Tools for Detection and Mitigation

To aid in the detection and mitigation of this and similar vulnerabilities, several tools can be employed:

Tool Name	Purpose	Link
Nessus	Comprehensive vulnerability scanning	https://www.tenable.com/products/nessus
OpenVAS	Open-source vulnerability scanner	https://www.greenbone.net/en/community-edition/
Wireshark	Network protocol analyzer for traffic monitoring	https://www.wireshark.org/
SIEM Solutions (e.g., Splunk, Elastic Stack)	Centralized log management and security event monitoring	https://www.splunk.com/ https://www.elastic.co/elastic-stack

Conclusion

The CISA warning regarding Ivanti EPMM vulnerability CVE-2023-35078 serves as a critical call to action for all organizations utilizing this essential mobile device management solution. Active exploitation means every unpatched system is a potential entry point for attackers. Prioritizing the application of patches, enhancing monitoring, and strengthening overall security posture for Ivanti EPMM instances is not merely a recommendation but a necessity to safeguard against ongoing cyber threats.