CISA warns that a critical authentication bypass vulnerability in Ivanti's Endpoint Manager Mobile and MobileIron Core device management software is now under active exploitation.
Tracked as CVE-2023-35082, the flaw is a remote unauthenticated API access vulnerability affecting all versions of EPMM 11.10, 11.9, and 11.8 and MobileIron Core 11.7 and below,.
Successful exploitation provides attackers access to personally identifiable information of mobile device users and can let them backdoor compromised servers when chaining the bug with other flaws.
Cybersecurity company Rapid7, which discovered and reported the vulnerability, provides indicators of compromise(IOCs) to help admins detect signs of a CVE-2023-35082 attack.
According to Shodan, 6,300 Ivanti EPMM user portals are currently exposed online, while the Shadowserver threat monitoring platform tracks 3,420 Internet-exposed EPMM appliances.
Shodan's data also reveals that the more than 150 instances linked to government agencies worldwide can be directly accessed via the Internet.
While it has yet to provide further details on CVE-2023-35082 active exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation and says there's no evidence of abuse in ransomware attacks.
The cybersecurity agency also ordered U.S. federal agencies to patch it by February 2, as required by a binding operational directive issued three years ago.
Ivanti has yet to update its August advisories or issue another notification warning that attackers are using this security vulnerability in the wild.
Two other Ivanti Connect Secure zero-days, an auth bypass and a command injection are now also under mass exploitation by multiple threat groups, starting January 11.
Victims compromised so far range from small businesses to multiple Fortune 500 companies from various industry sectors, with the attackers having already backdoored over 1,700 ICS VPN appliances using a GIFTEDVISITOR webshell variant.
Multiple other Ivanti zero-days have been exploited in recent years to breach dozens of government, defense, and financial organizations across the United States and Europe, several Norwegian government organizations, as well as in targeted attacks.
Ivanti Connect Secure zero-days now under mass exploitation.
Ivanti Connect Secure zero-days exploited to deploy custom malware.
CISA warns agencies of fourth flaw used in Triangulation spyware attacks.
CISA warns of actively exploited bugs in Chrome and Excel parsing library.
FBI: Play ransomware breached 300 victims, including critical orgs.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 18 Jan 2024 20:55:11 +0000