- 185/2023
- Critical
Ivanti released a security update to fix a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) version 11.2 and older, formerly known as MobileIron Core.
The addressed vulnerability could allow the remote attacker to gain access to specific API paths without requiring authentication, and disclose information related to personally identifiable information (PII) and this vulnerability could be chained with CVE-2023-35081 to allow the remote attacker to write malicious webshell files to the appliance.
Remote Unauthenticated API Access Vulnerability (CVE-2023-35082):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
It should be highlighted that Ivanti has confirmed that Ivanti MobileIron Core 11.2 has been out of support since March 15, 2022, so Ivanti encourages customers to upgrade to the latest version of Ivanti Endpoint Manager Mobile (EPMM) to protect their environment from threats.
Vulnerabilities
CVE-2023-35082
Mitigations
The enterprise should upgrade to the latest version of Ivanti Endpoint Manager Mobile (EPMM) as soon as the testing phase is completed.