The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a critical authentication bypass vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core products. The flaw tracked as CVE-2023-35082 has a severity score of 9.8 out of 10 and could allow unauthorized users to access sensitive data and resources within the affected applications.

The vulnerability was discovered by Rapid7, a cybersecurity firm, and reported to Ivanti, the vendor of the products, on July 26, 2023. According to Rapid7, the vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to access users’ personally identifiable information (PII) and make modifications within the server.

The vulnerability affects the following versions of the products in the default configuration:

• Ivanti EPMM 11.10 and older
• MobileIron Core 11.7 and below

Ivanti EPMM and MobileIron Core are mobile management software engines that enable IT to set policies for mobile devices, applications, and content. Government agencies and organizations widely use them to manage and secure their mobile workforce.

CISA has added CVE-2023-35082 to its Known Exploited Vulnerabilities (KEV) list as of January 18, 2024, indicating that malicious cyber actors are actively exploiting the vulnerability. CISA has also published an Emergency Directive requiring federal agencies to mitigate the vulnerability by applying patches or implementing mitigations provided by Ivanti as soon as possible.

CISA has advised non-federal organizations to review the Ivanti security advisory and the Rapid7 blog post for more information and apply the necessary updates or mitigations. 

CISA has thanked Rapid7 and Ivanti for their collaboration and coordination in disclosing and resolving the vulnerability.