TLDR: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core. The vulnerability, which has been patched, is an authentication bypass that allows unauthorized remote access to users’ personally identifiable information and the ability to make limited changes to the server. All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8, as well as MobileIron Core 11.7 and below, are affected. It is recommended that federal agencies apply vendor-provided fixes by February 8, 2024.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that an actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core could potentially allow unauthorized access to users’ personally identifiable information. The vulnerability, which has since been patched, is an authentication bypass that gives unauthorized remote actors the ability to make limited changes to the server. All versions of Ivanti Endpoint Manager Mobile (EPMM) 11.10, 11.9, and 11.8, as well as MobileIron Core 11.7 and below, are affected by the vulnerability.
Cybersecurity firm Rapid7, who discovered and reported the flaw, noted that it could be combined with another flaw in Ivanti EPMM to allow an attacker to write malicious web shell files to the system. Currently, there are no details on how the vulnerability is being exploited in real-world attacks. Federal agencies are advised to apply the vendor-provided fixes by February 8, 2024.
In addition to this vulnerability, two other zero-day flaws in Ivanti Connect Secure (ICS) VPN devices have also been under mass exploitation. Known as CVE-2023-46805 and CVE-2024-21887, these flaws have allowed threat actors to drop web shells and passive backdoors. Ivanti is expected to release updates for these flaws in the coming week.
Security researchers have uncovered evidence of compromise on over 1,700 devices worldwide, with additional threat actors joining the exploitation. Reverse engineering by Assetnote has revealed an additional endpoint that can be abused to obtain a reverse shell on older versions of ICS. The researchers have described these flaws as a result of simple security mistakes in secure VPN devices.