Home / Threat Intelligence bulletins / Ivanti discloses critical RCE vulnerability in EPM software

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Ivanti has disclosed a critical remote code execution (RCE) vulnerability within its Endpoint Manager software, tracked as CVE-2023-39336 (CVSSv3.1 score: 9.6), that can allow unauthenticated threat actors to hijack enrolled devices or the core server. As of the time of writing, intelligence indicates that the security flaw is yet to be leveraged by threat actors in the wild.

Impact

It has been assessed that successful exploitation of CVE-2023-39336 will almost certainly allow a threat actor with network access to leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without any authentication requirements. There is a realistic possibility that such a compromise could result in RCE attempts on the core server if it is configured to utilise SQL express.

Vulnerability Detection

Ivanti has released a security patch pertaining to the vulnerability for the respective product. As such, previous versions are vulnerable to the potential exploitation.

Affected Products

Ivanti EPM.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Containment, Mitigations & Remediations

It is strongly recommended that the Ivanti ‘version 2022 Service Update 5’ is applied as soon as possible to bolster security posture against potential compromise resulting from the targeting of CVE-2023-39336.

Threat Landscape

Ivanti occupies a significant portion of the mobile-device-management market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, related products will likely emerge as a prime target. Due to the fact that Ivanti products have become an integral aspect of business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein.

The disclosure of CVE-2023-39336 has emerged following state-sponsored operations compromising two zero-day flaws in Q3 2023 (CVE-2023-35078 and CVE-2023-35081) within Ivanti Endpoint Manager Mobile (EPMM) with the objective of infiltrating Norwegian government networks. Ivanti products have been assessed to be attractive targets for sophisticated threat actor groups due to the potential for elevated access to high-profile government and private sector networks. As such, it is crucial that users of Ivanti EPM apply the relevant security updates as a matter of urgency.

Threat Actor

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0002– Execution

Further Information

Ivanti Blog