[CVSS 9+] Another Exploited Ivanti Vulnerability Following Zero-Days

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a critical Ivanti flaw to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability, CVE-2023-35082, affects Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core.

Unfortunately, this addition comes after two recent Ivanti zero-days. Therefore, it is urgent to address these actively exploited Ivanti vulnerabilities.

About CVE-2023-35082

The critical flaw, CVE-2023-35082, is an authentication bypass issue with a CVSS score of 9.8. It permits unauthorised remote access, potentially exposing personal data and altering server settings. This Ivanti vulnerability impacts various versions of EPMM and MobileIron Core.

As an important note, Rapid7 discovered that it could be combined with another flaw, CVE-2023-35081, enabling attackers to insert malicious files into the system.

Ivanti’s Response

Ivanti has acknowledged the critical nature of this vulnerability.

They fixed the vulnerability in August 2023 and issued an advisory with detailed information about the flaw and the fixes.

Also, Ivanti emphasised the potential risk to personally identifiable information and server integrity. The company advises users to implement the necessary patches urgently to mitigate the risk.

In the wake of recent zero-days in Ivanti Connect Secure devices, Ivanti also suggests additional security measures, such as rotating specific operational secrets after rebuilding.

Recent Ivanti Zero-Days

The announcement of CVE-2023-35082 comes in the wake of the exploitation of two zero-day flaws in Ivanti Connect Secure VPN devices: CVE-2023-46805 and CVE-2024-21887. These vulnerabilities have been exploited to install web shells and passive backdoors. Meanwhile, Ivanti is gearing up to release updates to address these flaws. Please refer to our news article for more information about these zero-days.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.

-
00:00
00:00
Update Required Flash plugin
-
00:00
00:00