Ivanti, a leading provider of IT software solutions, has recently addressed a critical zero-day authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability, designated as CVE-2023-35078, allows unauthenticated remote access to specific API paths, posing a significant threat to the security of user data.
(Updated: 31st July 2023)
An attacker exploiting this vulnerability can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. Furthermore, the attacker can make configuration changes, including the creation of an EPMM administrative account, which can lead to further system compromise.
The vulnerability affects all supported versions of Ivanti Endpoint Manager Mobile (EPMM) prior to the vendor patch: 11.10, 11.9, and 11.8. Product versions no longer receiving support are also affected. Ivanti has released patches to remediate the issue: 11.10.0.2, 11.9.1.1, and 11.8.1.1. Ivanti has also provided a workaround for versions no longer receiving support.
Ivanti has confirmed that they have received information from a credible source indicating active exploitation of CVE-2023-35078. The Norwegian National Security Authority (NSM) has released a statement that CVE-2023-35078 was used in a zero-day attack to successfully compromise the Norwegian Security and Service Organization (DSS). The US Cybersecurity & Infrastructure Security Agency (CISA) has also released an advisory for the vulnerability and added it to their Known Exploited vulnerabilities (KEV) catalog.
The Shadowserver project has listed 2,729 IP addresses on the internet that remain vulnerable to the issue (as of July 24, 2023). Currently, no known public exploit code is available (as of July 26, 2025). If public exploit code becomes available, we expect more broad exploitation of vulnerable internet-facing systems. Organizations running the affected software are advised to apply the vendor patch as soon as possible.
For more information, please refer to the following resources:
- Ivanti’s Security Advisory
- National Vulnerability Database (NVD) entry for CVE-2023-35078
- MITRE ATT&CK
- Norwegian Government Breach
Indicators of Compromise (IOCs):
The following addresses have been observed attempting in the wild attempting exploitation of this vulnerability and are NOT associated with the original Ivanti disclosure.
- 104.238.188[.]253
- 140.82.12[.]176
- 103.29.68[.]92
- 23.95.146[.]52
- 45.32.90[.]176
- 83.118.55[.]9
- 178.175.131[.]101
Sightings as of 31st July 2023
The API v2 can be accessed without authentication by altering the URI path. According to the API documentation, all API calls are based on the URL format: https://[core server]/api/v2/. If you add the path to a vulnerable endpoint, you can execute commands without needing authentication, as shown here: https://[core server]/vulnerable/path/api/v2/.
Greynoise sightings : https://viz.greynoise.io/tag/ivanti-epmm-mobileiron-core-authentication-bypass-attempt