Critical Ivanti zero-day vulnerability actively exploited

Home / Threat Intelligence bulletins / Critical Ivanti zero-day vulnerability actively exploited

Target Industry

Although the vulnerability could relate to indiscriminate, opportunistic targeting, it should be noted that government organisations have already been targeted.

Overview

Ivanti has disclosed a critical zero-day vulnerability, tracked as CVE-2023-35078 (CVSSv3 score: 10.0), which is an authentication bypass flaw impacting all supported versions of Ivanti’s Endpoint Manager Mobile (EPMM) device management software.

The flaw has already been exploited to target 12 Norwegian government ministries. Although not confirmed at the time of writing, it remains a possibility that threat actors have exfiltrated data from vulnerable systems in this instance.

Open-source intelligence gathering within the Shodan platform has also revealed that over 2,900 users’ portals are exposed online, a significant portion of which pertain to organisations in the UK and the US.

Impact

Successful exploitation of CVE-2023-35078 allows a remote threat actor to potentially access users’ personally identifiable information (PII) and apply changes to the impacted server.

Vulnerability Detection

Ivanti has released a security update with regards to this vulnerability. As such, previous versions are vulnerable to potential exploitation.

Affected Products

Ivanti EPMM – Version 11.4 releases 11.10, 11.9 and 11.8 and earlier.

Containment, Mitigations & Remediations

Due to the severity of the vulnerability, as well as the fact that it has already been actively exploited, it is strongly recommended that users of the affected product versions apply the security update as soon as possible and as a matter of urgency.

The updates can be applied by upgrading to the following Ivanti EPMM versions:

  • 11.8.1.1
  • 11.9.1.1
  • 11.10.0.2

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Ivanti occupies a significant portion of the mobile-device-management market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, these products will likely emerge as a prime target. Due to the fact that Ivanti products have become an integral aspect of business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Persistence Technique:

T1556 – Modify Authentication Process

Further Information

Ivanti Advisory

CISA Advisory

 

An Intelligence Terminology Yardstick to showing the likelihood of events