Ivanti patches MobileIron zero-day bug exploited in attacks

US-based IT software company Ivanti has patched an actively exploited zero-day authentication bypass vulnerability impacting its Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core).

Ivanti released security patches for the remote unauthenticated API access vulnerability tracked as CVE-2023-35078 on Sunday.

The patches can be installed by upgrading to EPMM 11.8.1.1, 11.9.1.1, and 11.10.0.2. They also target unsupported and end-of-life software versions lower than 11.8.1.0 (e.g., 11.7.0.0, 11.5.0.0)

While Ivanti has published a security advisory to provide details on the security vulnerability, the information is being blocked by a login, given that the article can only be accessed with an account linked to Ivanti customer information.

"The article remains active behind log-in credentials for our customers," an Ivanti spokesperson told BleepingComputer when we asked for more details on the security flaw and for confirmation that it's already being abused in attacks.

"An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication," Ivanti says in the security advisory seen by BleepingComputer.

"This vulnerability impacts all supported versions 11.10, 11.9, and 11.8. Older versions/releases are also at risk. An unauthorized, remote (internet-facing) actor can access users' personally identifiable information and can allow limited changes to the server."

Already exploited by attackers in the wild

After news of the vulnerability circulated among the cybersecurity community, security expert Kevin Beaumont warned that admins should apply the patches as soon as possible due to the ease of exploitation.

While the company has not publicly admitted that the zero-day was actively exploited, the private bulletin says that a "trusted source" informed Ivanti that CVE-2023-35078 was exploited in attacks against a limited number of customers.

"We have received information from a credible source indicating exploitation against a very small number of customers (e.g., less than 10). We do not have more information the share at this time," the private advisory reads.

Ivanti added that the bug is not being exploited as part of a supply chain attack, saying that it didn't find "any indication that this vulnerability was introduced into our code development process maliciously."

Some customers have also reported that Ivanti asked them to sign non-disclosure agreements when asking for more information regarding the CVE-2023-35078 vulnerability. However, BleepingComptuer has not been able to independently confirm this.

"Ivanti became aware and addressed a vulnerability that impacts Ivanti Endpoint Manager Mobile (formerly MobileIron Core) customers," an Ivanti spokesperson BleepingComputer, after a second inquiry asking to confirm exploitation in attacks and if the company will release a public advisory.

"We immediately developed and released a patch and are actively engaging with customers to help them apply the fix."

According to a Shodan search shared by PwnDefend Cyber Security Consultant Daniel Card, over 2,900 MobileIron user portals are exposed online, with at least three dozen linked to U.S. local and state government agencies.

Most of the exposed servers are located in the United States, followed by Germany, the United Kingdom, and Hong Kong.

It is strongly advised that all network admins apply the Ivanti Endpoint Manager Mobile (MobileIron) patches as soon as possible.