Ivanti Mobile Management Vulnerability Seeing Exploitation: CISA

The critical vulnerability affects Ivanti’s Endpoint Manager Mobile and MobileIron Core Authentication tools.

A critical vulnerability affecting Ivanti mobile management tools is now seeing exploitation by threat actors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed Thursday.

The issue is separate from the Ivanti VPN vulnerabilities that have recently been used in widespread attacks.

[Related: 10 Major Cyberattacks And Data Breaches In 2023]

For the Ivanti mobile management vulnerability (tracked at CVE-2023-35082), CISA added the bug to its catalog of vulnerabilities known to have seen exploitation in the wild.

The authentication bypass vulnerability impacts Ivanti Endpoint Manager Mobile, version 11.10 and older, as well as MobileIron Core, version 11.7 and older.

First disclosed in August 2023, the vulnerability can enable an unauthorized user to “potentially access users’ personally identifiable information and make limited changes to the server,” the company said in a post that month. The vulnerability has been deemed to pose the maximum possible risk, with a severity score of 10.0 out of 10.0, Ivanti said.

In its disclosure Thursday, CISA urged customers to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”

In a statement provided to CRN Friday, Ivanti said it has provided a fix for the issue since disclosing the vulnerability in August 2023, and it encourages customers to upgrade to the latest version of the software. The issue is addressed in the product’s 11.11.0.0 version released on Aug. 21, 2023, the company said.

A proof-of-concept exploit was made public by a third party afterwards, Ivanti noted. “We disclosed in August that customers had been exploited following the public [proof-of-concept],” the company said in its statement Friday, noting that it provided this information to CISA in August.

VPN Attacks

The disclosure comes as Ivanti customers are already grappling with widespread attacks that have exploited flaws in Ivanti’s Connect Secure VPN devices.

In a post Monday, researchers at Volexity said they’ve found evidence suggesting more than 1,700 Ivanti Connect Secure VPN devices have been compromised, indicating that “mass exploitation” is underway. The evidence shows that victims in the attacks are “globally distributed and vary greatly in size,” the researchers, who first discovered the flaws in December, wrote in the post.

The zero-day vulnerabilities were disclosed by Ivanti on Jan. 10 and do not have patches available. Ivanti has provided mitigation measures for the vulnerabilities.

“We strongly advise all customers to apply the mitigation immediately,” Ivanti said in a statement provided to CRN Tuesday.