Select Page

Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability.

Dubbed CVE-2023-35078, the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as well as older releases. It has the maximum severity rating of 10 on the CVSS scale.

“An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication,” the company said in a terse advisory.

“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said an adversary with access to the API paths could exploit them to obtain personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system.

images from Hacker News