In a concerning development for enterprise security, threat actors are actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) devices. Their objective: to implant sophisticated “dormant” backdoors capable of lingering undetected for extended periods, awaiting activation. This strategy allows attackers to establish a persistent foothold within target networks, significantly increasing the risk of data compromise and operational disruption.

The Anatomy of the Attack: Critical Ivanti EPMM Vulnerabilities

The core of these attacks lies in the exploitation of two recently disclosed critical flaws within Ivanti EPMM. While the specific package affected differs, the practical impact for defenders remains consistently severe: unauthorized access and potential remote code execution.

• CVE-2023-35078 (Authentication Bypass): This vulnerability impacts the aftstore package, allowing unauthenticated attackers to bypass authentication mechanisms. Such a bypass grants them unauthorized administrative access to potentially sensitive device management functionalities.
• CVE-2023-35081 (Remote Code Execution): Affecting the appstore package, this flaw enables authenticated (or previously authenticated via CVE-2023-35078) attackers to execute arbitrary code remotely. The combination of authentication bypass and remote code execution presents a formidable threat, allowing attackers to take full control of the compromised EPMM appliance.

The deployment of “dormant” backdoors is a calculated move. By delaying activity, attackers aim to evade immediate detection by security mechanisms, allowing them to establish a deeper and more resilient presence within the network.

Why Ivanti EPMM is a High-Value Target

Ivanti EPMM (formerly MobileIron Core) solutions are widely adopted by organizations to manage and secure mobile devices and applications. Their central role in enterprise mobility makes them attractive targets for adversaries. Successful compromise of an EPMM appliance can lead to:

• Extensive Network Access: Gaining control over an EPMM device can provide attackers with a pivot point into the broader corporate network, potentially accessing sensitive data and systems managed by the platform.
• Data Exfiltration: With administrative control, attackers can exfiltrate sensitive corporate or user data stored on or accessible through the EPMM.
• Further Malware Deployment: The installed dormant backdoors can serve as conduits for deploying additional malware, ransomware, or other malicious payloads.
• Disruption of Operations: Beyond data theft, attackers could disrupt mobile device management, impacting business continuity.

Remediation Actions and Mitigations

Organizations utilizing Ivanti EPMM devices must act swiftly to mitigate the risks posed by these active exploits. Proactive measures are crucial to prevent compromise and detect existing threats.

• Immediate Patching: Apply all available security updates and patches from Ivanti without delay. Specifically, prioritize patches addressing CVE-2023-35078 and .
• Vulnerability Scanning: Regularly scan your network and Ivanti EPMM appliances for known vulnerabilities. This helps identify unpatched systems before attackers do.
• Network Segmentation: Implement strong network segmentation to isolate Ivanti EPMM devices from critical internal networks. This limits the lateral movement of attackers even if an EPMM device is compromised.
• Strong Authentication and Access Control: Enforce multi-factor authentication (MFA) for all administrative access to EPMM devices. Implement the principle of least privilege, ensuring administrators only have the necessary permissions.
• Monitor Logs for Anomalies: Continuously monitor logs from EPMM devices, firewalls, and intrusion detection/prevention systems (IDS/IPS) for any unusual activity, such as unauthorized logins, unexpected administrative actions, or unusual outbound connections.
• Incident Response Plan: Ensure a well-defined incident response plan is in place and regularly tested to address potential compromises of critical infrastructure like EPMM systems.

Detection and Remediation Tools

Leveraging appropriate tools can significantly aid in detecting and mitigating vulnerabilities and potential compromise.

Tool Name	Purpose	Link
Nessus	Vulnerability scanning and detection	https://www.tenable.com/products/nessus
OpenVAS	Open-source vulnerability scanner	http://www.openvas.org/
Snort/Suricata	Intrusion Detection/Prevention Systems (IDS/IPS) for network traffic analysis	https://www.snort.org/ / https://suricata-ids.org/
SIEM Solutions (e.g., Splunk, ELK Stack)	Centralized log management and security event correlation	https://www.splunk.com/ / https://www.elastic.co/elk-stack

Conclusion

The active exploitation of Ivanti EPMM vulnerabilities to deploy dormant backdoors underscores the persistent and evolving threat landscape facing enterprises. Organizations must move beyond basic security practices and adopt a proactive, multi-layered defense strategy. Immediate patching, continuous monitoring, and robust incident response capabilities are critical to safeguard mobile device management infrastructure and, by extension, the entire corporate network from sophisticated attacks.