CISA Adds Ivanti Endpoint Manager Mobile Flaw (CVE-2023-35081) to its KEV Catalog

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) cast a spotlight on a particularly disconcerting issue that has been added to its Known Exploited Vulnerabilities Catalog. This formidable foe comes in the guise of a high-severity vulnerability in the Ivanti Endpoint Manager Mobile (EPMM), formerly recognized as MobileIron Core.

This looming threat is tagged as CVE-2023-35081 and carries a CVSS score of 7.2, signaling its considerable severity. As a path traversal vulnerability lurking within the digital confines of Ivanti EPMM, it opens the door for an attacker to inscribe arbitrary files onto the appliance. Consequently, this vulnerability brings to the fore “significant risks to the federal enterprise,” as noted by CISA, a reminder of the serious implications such vulnerabilities hold for our digital infrastructures.

Impacting supported versions 11.10, 11.9, and 11.8, as well as those already considered end-of-life (EoL), this flaw is nothing short of comprehensive in its scope. Ivanti disclosed, “CVE-2023-35081 empowers an authenticated administrator to perform arbitrary file writes to the EPMM server.” Furthermore, the vulnerability, when used conjointly with CVE-2023-35078, enables bypassing administrator authentication and ACLs restrictions, demonstrating its potency.

Should a successful exploit take place, a threat actor could write arbitrary files on the appliance. This would provide the malicious entity with the means to execute OS commands on the appliance, operating under the guise of the tomcat user.

Ivanti offers a somewhat silver lining, stating, “As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.

The cybersecurity firm Mnemonic, credited with the discovery and reporting of this flaw, highlighted a chilling fact. They observed CVE-2023-35081 being utilized together with CVE-2023-35078 to write JSP and Java .class files to disk. These files were subsequently loaded into a running Apache Tomcat instance, enabling an external actor to run malicious Java bytecode on the affected servers.