Background
Ivanti Endpoint Manager Mobile, formerly known as MobileIron Core, is a mobile device management (MDM) platform used by organisations to manage employee smartphones, tablets, and laptops. It’s widely deployed in government, healthcare, and financial services — sectors that need robust device management and are also subject to strict data protection requirements.
CVE-2023-35078 is a perfect 10.0 CVSS score — unauthenticated access to any API endpoint, no credentials required, no special conditions. It was discovered being exploited in the wild as a zero-day, with Norwegian government agencies among the confirmed victims. Ivanti patched it in July 2023 under pressure after attribution of active exploitation.
Technical Mechanism
EPMM exposes a REST API for device management, configuration, and data access. The authentication mechanism has a bypass condition where specific API paths can be accessed without any authentication by manipulating the request path.
The bypass exploits the way the application’s servlet filter processes URL patterns. Certain path patterns intended to be public (like health check endpoints) are defined with wildcard patterns that are overly broad. By appending these public path suffixes or manipulating request paths, an attacker can access any API endpoint without authentication.
For example, a request to:
/mifs/aad/api/v2/authorized/..;/api/v2/devicestatisticsThe ..; sequence in many Java application frameworks (including those using Apache Tomcat) causes the path to be evaluated differently by the URL filter versus the servlet router. The filter sees a public path; the router sees the actual API endpoint.
Once unauthenticated API access is achieved, attackers can:
- Query the API for usernames, email addresses, device information, and phone numbers
- In combination with CVE-2023-35081 (a separate file write bug), drop a webshell and achieve RCE
Real-World Exploitation Evidence
CISA and NCSC Norway issued a joint advisory noting that CVE-2023-35078 was exploited as a zero-day against Norwegian government agencies — specifically the Norwegian Security and Service Organisation, which serves 12 government ministries. This was confirmed before Ivanti had a patch.
Additional exploitation indicators:
- APT activity — security researchers attributed the zero-day exploitation to a sophisticated threat actor with characteristics consistent with a state-sponsored group
- Reconnaissance campaigns — broad scanning for EPMM/MobileIron instances observed in threat intelligence feeds
- Chained with CVE-2023-35081 — the file write vulnerability was used in combination to achieve full RCE beyond just data access
The targeting of government MDM infrastructure is significant — compromising MDM gives visibility into all managed devices, including government mobile devices that may contain sensitive information.
Impact Assessment
- Mass data exfiltration — user data, device inventory, email addresses, and phone numbers accessible without authentication
- Device manipulation — MDM APIs can push configuration profiles, install applications, and remotely wipe devices
- Remote code execution — when chained with CVE-2023-35081, full RCE on the EPMM server
- Government operations disruption — in the Norwegian case, 12 ministries’ IT management capabilities were exposed
- Compliance violation — access to MDM data almost certainly constitutes a data breach under GDPR and similar frameworks
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Ivanti EPMM (MobileIron Core) | 11.10.x before 11.10.0.2 | 11.10.0.2 |
| Ivanti EPMM (MobileIron Core) | 11.9.x before 11.9.1.2 | 11.9.1.2 |
| Ivanti EPMM (MobileIron Core) | 11.8.x before 11.8.1.2 | 11.8.1.2 |
| Ivanti EPMM | Older than 11.8 | Update required; check Ivanti advisory |
Remediation Steps
- Apply Ivanti patches for your version immediately — this is a CVSS 10.0, treat it as such
- Check if your EPMM instance is internet-accessible and restrict access to trusted IP ranges if it is
- Review API access logs for unauthenticated requests to management API endpoints:
- Logs location:
/mi/jss/logs/on the EPMM appliance
- Logs location:
- Check for indicators of CVE-2023-35081 exploitation (file writes to web directories)
- Audit for any newly created administrator accounts in EPMM
- Review managed device policies for unauthorised changes
- If compromise is suspected, notify affected users as MDM typically manages personal data
Detection Guidance
EPMM logs — look for API access log entries where:
- Requests to
/mifs/aad/api/or/api/v2/endpoints with no authentication header - Path traversal sequences (
..;) in request URLs - Unusual user agents (automated exploit tools often use generic user agents)
Network monitoring — monitor for bulk data export patterns from the EPMM server, particularly large API responses to external IPs.
Suricata signature:
alert http any any -> $HTTP_SERVERS any (msg:"Ivanti EPMM CVE-2023-35078 Auth Bypass Attempt"; flow:established,to_server; http.uri; content:"/mifs/"; content:"..;"; distance:0; classtype:web-application-attack; sid:2034010; rev:1;)IOCs:
- Requests containing
..;in paths to EPMM API endpoints - Unexpected admin account creation in EPMM console
- Large API data exports to external IPs
Timeline
| Date | Event |
|---|---|
| July 2023 | CVE-2023-35078 exploited as zero-day against Norwegian government |
| 23 July 2023 | Ivanti releases patch |
| 24 July 2023 | CISA and Norwegian NCSC issue joint advisory |
| July 2023 | CISA adds to Known Exploited Vulnerabilities catalogue |
| August 2023 | CVE-2023-35081 (chained file write) exploitation details published |
| 2023 | Continued targeting of MDM/EMM solutions by state-sponsored actors |