Get in Touch
Indiscriminate, opportunistic targeting.
Ivanti Sentry (previously known as MobileIron Sentry): CVE-2023-38035 (CVSSv3 Score: 9.8).
Ivanti has released details regarding a critical API authentication bypass vulnerability within the MICS Admin Portal. This is being tracked as CVE-2023-38035 (CVSSv3 Score: 9.8). This vulnerability affects Ivanti Sentry (previously known as MobileIron Sentry), no other Ivanti products are affected. Exploitation would allow an attacker to gain access to the MobileIron Configuration Service (MICS) Admin Portal due to an insufficiently restrictive Apache HTTPD configuration.
MobileIron Core mobile device management software is a critical authentication bypass vulnerability, tracked as CVE-2023-35082 (CVSSv3 score: 10.0), impacting the MobileIron Core mobile device management software.
Open-source intelligence gathering within the Shodan platform has also revealed that over 2,200 MobileIron user portals are exposed online, a significant portion of which pertain to government organisations.
Successful exploitation of CVE-2023-38035 would allow an attacker to obtain unauthenticated access to the admin portal configuration APIs exposed over port 8443, which is used by the MICS. This would allow the threat actor to change configurations, run system commands as well as write files on to systems running Ivanti Sentry v9.18 and lower.
Successful exploitation of CVE-2023-35082 allows threat actors to access personally identifiable information (PII) of mobile device users and backdoor compromised servers by deploying web shells when exploited in conjunction with other security flaws (such as CVE-2023-35081), thus leading the compromise of sensitive data.
Ivanti has released a security update for CVE-2023-38035 relating to the affected product versions. As such, previous versions are now vulnerable to potential exploitation.
MobileIron Core mobile device management software versions prior to 220.127.116.11 are vulnerable to CVE-2023-35082.
CVE-2023-38035: Ivanti Sentry version 9.18 and prior.
CVE-2023-35082: MobileIron Core version 11.2 and prior.
Containment, Mitigations & Remediations
It is strongly recommended that users of both MobileIron Core and Ivanti Sentry update their systems to a supported version as soon as possible to remove the threat of vulnerability exploitation.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Ivanti occupies a significant portion of the mobile-device-management market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, these products will likely emerge as a prime target. Since Ivanti products have become an integral aspect of business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein.
The disclosure of CVE-2023-35082 arrived just days following another critical Ivanti MobileIron Core vulnerability with a CVSSv3 score of 10.0 (CVE-2023-35078). Due to the severity of these vulnerabilities, as well as the fact that they can be chained with others to form dangerous exploits, it is highly likely that threat actors will attempt to target these vulnerabilities to achieve their objectives. As such, it is crucial that users of the affected product version apply the relevant security updates as a matter of urgency.
Please see the related Quorum Cyber Threat Intelligence bulletin for further details:
No attribution to specific threat actors or groups has been identified at the time of writing.
T1556 – Modify Authentication Process