- 176/2023
- Critical
Ivanti released a security update to fix a critical vulnerability affecting all supported versions of Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core.
The addressed vulnerability could allow the remote attacker to gain access to specific API paths without requiring authentication. The API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on the vulnerable system.
Remote Unauthenticated API Access Vulnerability (CVE-2023-35078):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
It should be highlighted that Ivanti has confirmed that the zero-day is being exploited in attacks and also warned customers that it’s critical to immediately take action to ensure you are fully protected.
Vulnerabilities
CVE-2023-35078
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.