CVE-2023-35081 - New Ivanti EPMM Vulnerability
At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products. We continue investing significant resources to ensure that all our solutions exceed our own high standards.
During our thorough investigation of Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2023-35078 announced 23 July 2023, we have discovered additional vulnerabilities. We are reporting these vulnerabilities as CVE-2023-35081. As was the case with CVE-2023-35078, CVE-2023-35081 impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.
We immediately mobilized resources to fix the problem and have a patch available now for supported versions of the product that gives comprehensive protection against CVE-2023-35078 and CVE-2023-35081. More detailed information is available in this Security Advisory.
Exploitation of CVE-2023-35078 allows:
- An unauthorized, remote (internet-facing) actor to access users’ personally identifiable information.
- Allow for some configuration changes to the server.
Exploitation of CVE-2023-35081 allows:
- An authenticated administrator to perform arbitrary file writes to the EPMM server.
- If used in conjunction with CVE-2023-35078, exploitation no longer requires authentication and can bypass ACLs (if applicable).
- If CVE-2023-35078 has been patched or RPM script mitigation has been run, CVE-2023-35081 is more difficult to exploit.
We are only aware of a very limited number of customers that have been impacted and are actively working with our customers and partners to investigate and remedy this situation. We continue to assess, validate and monitor the security posture of all our solutions.
Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success Portal (login credentials required).
Ivanti would like to thank mnemonic for their assistance in identifying this vulnerability. We also appreciate our partners at CISA, ACSC, and NCSC-NO for partnership in coordinated disclosure.