The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it’s being actively exploited in the wild.
The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass that is patched for another flaw in the same solution tracked as CVE-2023-35078 (CVSS score: 10.0).
Ivanti said in August 2023, “If exploited, this vulnerability would enable an unauthorized, remote (Internet-facing) actor to access users’ personally identifiable information and make limited changes to the server. “
Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8 and all versions of MobileIron Core 11.7 and below are affected by the vulnerability.
Cybersecurity firm Rapid7, which discovered and reported the flaw, said it could be combined with CVE-2023-35081 to allow an attacker to write malicious web shell files on the device.
There are currently no details on how the vulnerability is being weaponized in real-world attacks. Federal agencies are recommended to implement vendor-provided fixes by February 8, 2024.
The disclosure comes as two other zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices (CVE-2023-46805 and CVE-2024-21887) have also come under mass exploitation to drop web shells and passive backdoors, with the company expected to release updates next week.
“We have observed that the threat actor has targeted the system’s configuration and running cache, which contains secrets critical to the operation of the VPN,” Ivanti said in an advisory.
“Although we have not seen this in every case, out of an abundance of caution, Ivanti is recommending you rotate these secrets after a rebuild.”
Volexity revealed earlier this week that it was able to find evidence of tampering with more than 1,700 devices worldwide. While the initial exploit was linked to a suspected Chinese threat actor named UTA0178, additional threat actors have since joined the exploit ring.
Further reverse engineering of the twin flaws by Assetnote has uncovered an additional endpoint (“/api/v1/totp/user-backup-code”) by which the authentication bypass flaw (CVE-2023-46805) could be abused on older versions of ICS and obtain a reverse shell.
Security researchers Shubham Shah and Dylan Pindur described it as “yet another example of a secure VPN device exposing itself to wide-scale exploitation as a result of relatively simple security mistakes”.