CVE-2023-35082 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability

Exploit added

January 18, 2024

Action due

February 8, 2024

Action required

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.

References

https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US

Weakness Enumeration

CWE-ID	CWE Name
CWE-287	Improper Authentication

Known Affected Software Configurations

cpe:2.3:a:ivanti:endpoint_manager_mobile:11.11.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0.4:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.11.0.2:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.11.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.4.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.4.1.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.5.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.6.0.01:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.6.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.7.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.8.1.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.1.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0.3:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.8.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.8.1.2:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.1.2:::::::*

Details

Source:
NVD

Published:
August 15, 2023

Updated:
January 19, 2024

Risk information

CVSS v3

Base score:
9.8

Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined