The issue, named CVE-2023-35078, is described as a remote unauthenticated API access vulnerability that affects currently supported versions 11.4 releases 11.10, 11.9 and 11.8, as well as older releases. It has a maximum severity rating of 10 on the CVSS scale.
“An authentication bypass vulnerability in Ivanti EPMM allows unauthenticated users to access restricted functionality or resources of the application without proper authentication,” the company said in a brief advisory.
“If exploited, this vulnerability enables an unauthenticated, remote (Internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.”
The US Cyber Security and Infrastructure Security Agency (CISA) said that an adversary with access to API paths could exploit them to obtain personally identifiable information (PII) such as names, phone numbers and other mobile device details for users on vulnerable systems.
“An attacker could also make other configuration changes, including creating an EPMM administrative account, which could make further changes to a vulnerable system,” CISA said.
The Utah-based IT software firm further said it is aware of active exploitation of the bug against a “very limited number of customers,” but did not disclose additional details about the nature of the attacks or the identity of the threat actor behind them.
Having said that, the Norwegian National Security Authority (NSM) has confirmed that the zero-day vulnerability was exploited by unknown threat actors to target the Organization for Government Security and Services (DSS).
According to security researcher Kevin Beaumont, patches for the problem have been made available in versions 11.8.1.1, 11.9.1.1 and 11.10.0.2.