Executive Summary

Two critical zero-day vulnerabilities have been discovered and are actively exploited in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. These vulnerabilities, tracked as CVE-2023-35078 and CVE-2023-35081, enable unauthenticated remote code execution (RCE) on affected appliances. Both flaws are being leveraged in the wild by threat actors to gain full control over vulnerable systems, with the potential for lateral movement and data exfiltration. Ivanti has released urgent security updates and mitigation guidance. Organizations using Ivanti EPMM must prioritize patching and incident response to prevent compromise and limit potential damage.

Threat Actor Profile

The exploitation of these Ivanti EPMM vulnerabilities has attracted a range of threat actors, including advanced persistent threat (APT) groups and financially motivated cybercriminals. Public reporting, including advisories from CISA and Mandiant, indicates that state-sponsored actors have targeted government, critical infrastructure, and enterprise networks. These actors are characterized by their use of sophisticated tactics, techniques, and procedures (TTPs), including the deployment of custom web shells, credential theft, and the use of living-off-the-land binaries (LOLBins) for persistence and lateral movement. The rapid weaponization of public proof-of-concept (PoC) exploits has also enabled opportunistic attackers to scan for and compromise unpatched Ivanti EPMM instances globally.

Technical Analysis of Malware/TTPs

CVE-2023-35078 is an authentication bypass vulnerability in the Ivanti EPMM API, allowing unauthenticated attackers to access restricted endpoints. By sending specially crafted HTTP requests to vulnerable endpoints, attackers can execute arbitrary commands as the root user. The flaw is rooted in improper access control and input validation within the /mifs/aad/api/v2/ and related API paths. Exploitation typically involves the injection of Bash commands via HTTP parameters, which are then executed by backend scripts such as /mi/bin/map-appstore-url.

CVE-2023-35081 is a path traversal vulnerability that allows attackers to overwrite arbitrary files on the appliance. When chained with CVE-2023-35078, this enables the deployment of persistent web shells or the modification of system files to establish backdoors. Attackers have been observed uploading web shells to directories such as /var/mobileiron/, enabling remote command execution and further exploitation.

Malware and TTPs associated with these attacks include the use of custom web shells (e.g., simple PHP or Bash reverse shells), credential dumping tools, and the modification of authentication configurations (such as SSO or LDAP settings) to maintain access. Attackers also leverage built-in Linux utilities for reconnaissance, privilege escalation, and lateral movement within the victim environment.

Exploitation in the Wild

Active exploitation of these vulnerabilities was observed prior to public disclosure, with threat actors scanning for and compromising exposed Ivanti EPMM instances. Attackers typically initiate exploitation by sending unauthenticated HTTP GET or POST requests to vulnerable API endpoints, injecting malicious payloads that result in remote code execution. Once access is gained, web shells are deployed to establish persistence, and attackers may enumerate user accounts, extract configuration files, and pivot to other systems within the network.

Incident reports indicate that exploitation can lead to the exposure of sensitive data, including personally identifiable information (PII), device inventories, and authentication credentials. In some cases, attackers have leveraged compromised Ivanti EPMM appliances as a foothold for broader campaigns targeting enterprise and government networks.

Victimology and Targeting

Victims of these exploits include organizations across government, critical infrastructure, healthcare, finance, and large enterprises. The global footprint of Ivanti EPMM deployments has made this an attractive target for both targeted and opportunistic attacks. Notably, government agencies in Norway and other European countries have reported breaches linked to these vulnerabilities, with attackers seeking to access sensitive internal resources and data. The targeting pattern suggests a focus on organizations with high-value assets and those with internet-exposed Ivanti EPMM instances.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by these vulnerabilities. Organizations must apply the latest security updates released by Ivanti for all affected EPMM versions. The patches address both CVE-2023-35078 and CVE-2023-35081 and are available through the official Ivanti support portal. It is critical to note that some patches may not persist through version upgrades, necessitating reapplication after any update.

In addition to patching, organizations should conduct thorough log analysis, focusing on /var/log/httpd/https-access_log for suspicious requests to /mifs/aad/api/v2/ and related endpoints. Regex patterns such as ^.*\/mifs\/aad\/api\/v2\/.*$ can help identify exploitation attempts. Indicators of compromise include unauthorized web shells, unexpected changes to administrator accounts, and modifications to authentication or network configurations.

If compromise is suspected, organizations should restore affected appliances from known good backups, reset all credentials (including local, LDAP, and service accounts), and revoke and replace public certificates. Post-incident hardening should include reviewing and reverting unauthorized configuration changes, removing unauthorized administrators or applications, and continuous monitoring for further suspicious activity.

Network segmentation, strict access controls, and the use of web application firewalls (WAFs) can provide additional layers of defense. Organizations are also encouraged to monitor threat intelligence feeds and subscribe to Ivanti and CISA advisories for ongoing updates.

References

• Ivanti Security Advisory for CVE-2023-35078 and CVE-2023-35081

• CISA Known Exploited Vulnerabilities Catalog

• The Hacker News: Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited

• Rapid7 Blog: Critical Ivanti Endpoint Manager Mobile (EPMM) zero-day exploited in the wild

• watchTowr Labs Technical Analysis & PoC

• [MITRE ATT&CK TTPs: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter)]

About Rescana

Rescana empowers organizations to proactively manage third-party cyber risk with our advanced TPRM platform. Our solution provides continuous monitoring, automated risk assessments, and actionable intelligence to help you identify, prioritize, and mitigate threats across your supply chain and digital ecosystem. For more information or to discuss your cybersecurity needs, we are happy to answer questions at ops@rescana.com.