Last updated at Wed, 26 Jul 2023 16:45:05 GMT

CVE-2023-35078 is a remote unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile, which was previously branded as MobileIron Core. The vulnerability has a CVSS v3 base score of 10.0 and has a severity rating of Critical.

Ivanti has reported that they have received information from a credible source indicating active exploitation of CVE-2023-35078. A vendor supplied patch to remediate CVE-2023-35078 was released on July 24, 2023.

Background

Ivanti Endpoint Manager Mobile (EPMM) is used to configure and manage mobile devices and enforce security policies on those devices. According to Ivanti’s advisory, if exploited, CVE-2023-35078 enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.

On July 24, 2023, the Norwegian National Security Authority (NSM) released a statement that CVE-2023-35078 was used in a zero-day attack to successfully compromise the Norwegian Security and Service Organization (DSS). Additionally, the US Cybersecurity & Infrastructure Security Agency (CISA) has also released an advisory for the vulnerability as well as adding the vulnerability to their Known Exploited vulnerabilities (KEV) catalog.

According to CISA’s advisory, the vulnerability allows a remote unauthenticated attacker to access personally identifiable information (PII) and add an administrator account on the affected EPMM server, to allow for further system compromise.

The Shadowserver project has listed 2,729 IP addresses on the internet that remain vulnerable to the issue (as of July 24, 2023).

Currently, no known public exploit code is available (as of July 26, 2025). If public exploit code becomes available, we expect more broad exploitation of vulnerable internet-facing systems. Organizations running the affected software are advised to apply the vendor patch as soon as possible.

Affected Products

Please note: Information on affected versions or requirements for exploitability may change as we learn more about the threat.

CVE-2023-35078 affects all supported versions of Ivanti Endpoint Manager Mobile (EPMM) prior to the vendor patch:

  • 11.10
  • 11.9
  • 11.8

Product versions no longer receiving support are also affected, and Ivanti has released a workaround as part of their response.

Ivanti has released the following patches to remediate the issue:

  • 11.10.0.2
  • 11.9.1.1
  • 11.8.1.1

Rapid7 Customers

Instructions to install the patch or workaround are available on Ivanti's KB article (which requires a free login to access).

An unauthenticated (remote) check will be available to InsightVM customers in tonight’s (July 26, 2023) content release.