Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM), prompting Ivanti to urge users to update to the latest version of the software.
Tracked as CVE-2023-35082 (CVSS score: 10.0) and discovered by Rapid7, the issue “allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below).”
“If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server,” Ivanti said in an advisory released on August 2, 2023.
The software services provider further said that the shortcoming was “incidentally resolved” in MobileIron Core 11.3 as part of work on a product bug and that it had not previously been flagged as a security flaw.
Rapid7 security researcher Stephen Fewer said, “CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application’s security filter chain.”
This also means that the vulnerability could be abused in conjunction with CVE-2023-35081 “to allow an attacker write malicious webshell files to the appliance, which may then be executed by the attacker.”
With the latest disclosure, Ivanti has patched a total of three security flaws impacting its EPMM product in quick succession within a span of two weeks.
images from Hacker News