CISA warns govt agencies to patch Ivanti bug exploited in attacks

The Cybersecurity and Infrastructure Security Agency (CISA) warned U.S. federal agencies today to secure their systems against a maximum severity authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core.

Tracked as CVE-2023-35078, this flaw has been exploited as a zero-day to hack a software platform used by 12 Norwegian ministries, according to the country's National Security Authority.

Successful exploitation enables unauthenticated attackers to access specific API paths remotely to steal personally identifiable information (PII), including names, phone numbers, and other mobile device details.

They can also make configuration changes on the compromised devices, including creating EPMM administrative accounts, which provide them with the permissions required to make further changes to vulnerable systems.

Ivanti has also confirmed that the bug is actively exploited in attacks and warned customers that it's critical to "immediately take action" to ensure their systems are fully protected.

While the company is yet to publicly release indicators of compromise (IOCs), security experts and researchers say [1, 2, 3] they contain info on the vulnerable endpoint required to exploit the vulnerability, which would allow threat actors to quickly create their own exploits and further escalate attacks.

Even though BleepingComputer has not been able to verify this independently, customers have claimed that Ivanti requested them to sign non-disclosure agreements when seeking further details about the CVE-2023-35078 vulnerability.

According to Shodan, almost 2,900 MobileIron user portals are currently accessible on the internet; among them, approximately three dozen belong to U.S. local and state government agencies.

Given this situation, it is essential that all network administrators immediately upgrade their Ivanti EPMM (MobileIron) installs to the latest version to safeguard their systems against potential attacks.

​Federal agencies ordered to patch by August 15

U.S. Federal Civilian Executive Branch Agencies (FCEB) have a three-week deadline, until August 15th, to secure their devices against attacks targeting the CVE-2023-35078 flaw, which was added to CISA's list of Known Exploited Vulnerabilities on Tuesday.

Under the binding operational directive (BOD 22-01) issued in November 2021, federal agencies are now bound to scan their networks for vulnerable devices and address any security flaws added to CISA's KEV catalog.

While the catalog mainly pertains to U.S. federal agencies, it is highly recommended that private companies also prioritize and apply patches for all vulnerabilities listed in CISA's list of bugs exploited in attacks.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned today.

The U.S. cybersecurity agency also gave federal agencies three weeks to patch their Adobe ColdFusion servers against two critical security flaws exploited in attacks, one of them as a zero-day.

Last week, CISA also warned that unknown threat actors breached the network of a critical infrastructure organization to steal Active Directory data after exploiting a zero-day RCE vulnerability (CVE-2023-3519) in NetScaler ADC and Gateway.