Introduction
Ivanti has released a critical warning regarding CVE-2023-35082, a high-severity security vulnerability affecting Endpoint Manager Mobile (EPMM), formerly known as MobileIron. This vulnerability is currently being exploited in the wild as a zero-day.
The flaw allows unauthenticated, remote attackers to execute arbitrary code on susceptible EPMM servers. Given the EPMM's role in managing mobile device fleets and corporate data, a compromise here provides attackers with a potent beachhead into the organization's core network, potentially leading to data exfiltration, device fleet manipulation, or lateral movement. This is not a theoretical risk; active exploitation campaigns are scanning for exposed management interfaces.
Technical Analysis
- Affected Products: Ivanti Endpoint Manager Mobile (EPMM)
- Affected Versions:
- All versions of 11.10.x prior to 11.10.0.2
- All versions of 11.9.x prior to 11.9.1.2
- All versions of 11.8.x and below
- CVE ID: CVE-2023-35082
- CVSS Score: 8.4 (High)
- Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
How it Works:
The vulnerability stems from a missing authentication check on a specific API endpoint within the EPMM web interface. While the initial advisory (CVE-2023-35078) focused on the /mifs/ endpoint on port 8443, CVE-2023-35082 exposes a similar path on the default port 443.
Attack Chain:
- Scanning: Attackers scan the internet for exposed Ivanti EPMM management interfaces (port 443).
- Exploitation: A specially crafted HTTP request is sent to the vulnerable API endpoint without valid session cookies or headers.
- Execution: Due to the auth-bypass, the server processes the request, allowing the attacker to execute arbitrary system commands or write files.
- Persistence: Attackers often drop webshells or create reverse shells to maintain access to the underlying Linux OS.
Exploitation Status: Confirmed Active Exploitation (Zero-Day).
Detection & Response
SIGMA Rules
The following rules target the specific web access patterns indicative of exploitation attempts against the known vulnerable paths, as well as the process anomalies typical of successful RCE on these Linux appliances.
---
title: Potential Exploitation of Ivanti EPMM API Endpoint
id: 4a5b6c7d-8e9f-0123-4567-89abcdef0123
status: experimental
description: Detects potential exploitation attempts against Ivanti EPMM (CVE-2023-35082) via requests to the /mifs/ administrative path on port 443.
references:
- https://forums.ivanti.com/s/article/KB-Endpoint-Manager-Mobile-EPMM-Security-Advisory-for-CVE-2023-35082
author: Security Arsenal
date: 2023/09/25
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
product: apache
detection:
selection:
cs_uri_stem|contains: '/mifs/'
cs_method: 'POST'
condition: selection
falsepositives:
- Legitimate administrative API usage (verify source IP)
level: critical
---
title: Linux Webshell Spawned by Java Parent Process
id: 1a2b3c4d-5e6f-7890-1234-567890abcdef
status: experimental
description: Detects suspicious shell processes spawned by the Java/Tomcat service typical of Ivanti EPMM appliances, indicating potential RCE.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2023/09/25
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/java'
Image|endswith:
- '/sh'
- '/bash'
- '/perl'
- '/python'
condition: selection
falsepositives:
- Legitimate administrative scripting by support staff
level: high
KQL (Microsoft Sentinel)
This query hunts for the specific URI pattern associated with the vulnerability in proxy or firewall logs (Syslog/CEF), and looks for anomalies in process execution on Linux endpoints if you have auditd/log collection enabled.
// Hunt for vulnerable endpoint access in Syslog/CEF
Syslog
| where Facility in ('Proxy', 'Firewall')
| extend Msg = parse_syslog(Message)
| project TimeGenerated, DeviceName, SourceIP, Msg
| where Msg has_any ('/mifs/', 'ivanti')
| where Msg has 'POST'
| extend Uri = extract(@'cs_uri_stem=([^\s]+)', 1, Msg)
| where Uri contains '/mifs/'
| summarize Count = count() by TimeGenerated, SourceIP, DeviceName, Uri
| order by TimeGenerated desc
// Hunt for Java spawning shell on Linux (if auditd is ingested)
imProcessCreate
| where ActingProcessFileName endswith 'java'
| where ProcessFileName has_any ('sh', 'bash', 'nc', 'perl', 'python')
| project TimeGenerated, Hostname, ActingProcessFileName, ProcessFileName, CommandLine
| order by TimeGenerated desc
Velociraptor VQL
This artifact hunts for webshell artifacts or suspicious child processes on the EPMM server itself.
-- Hunt for suspicious child processes of Java/Tomcat
SELECT Pid, Name, CommandLine, Exe, Username, Ppid
FROM pslist()
WHERE Ppid IN (
SELECT Pid
FROM pslist()
WHERE Name =~ 'java'
AND Exe =~ '/opt/iron'
)
AND Name =~ '(sh|bash|perl|python|nc|wget|curl)'
-- Hunt for recently modified files in web directories (Webshell detection)
SELECT FullPath, Size, Mtime, Mode, IsDir
FROM glob(globs='/**/*')
WHERE Mtime > now() - 7d
AND (FullPath =~ '/mifs/' OR FullPath =~ '/tomcat/webapps/')
AND NOT IsDir
AND (Size < 50000 AND Mtime != Atime)
AND FullName =~ '(.jsp|.jspx|.php|.sh)'
Remediation Script
Use this Bash script on your EPMM appliance to verify the installed version against the vulnerable ranges.
#!/bin/bash
# Check Ivanti EPMM Version for CVE-2023-35082
echo "Checking Ivanti EPMM version..."
# RPM check for older installs or command line version check
if command -v rpm &> /dev/null; then
VERSION=$(rpm -q --queryformat '%{VERSION}' ivanti-epmm 2>/dev/null || rpm -q --queryformat '%{VERSION}' mobileiron-core 2>/dev/null)
echo "Current installed version: $VERSION"
else
# Attempt to get version from configuration files or binary
VERSION=$(cat /etc/mi/mi_config 2>/dev/null | grep VERSION | cut -d'=' -f2)
echo "Detected version from config: $VERSION"
fi
# Define vulnerable ranges logic (simplified for guidance)
if [[ -n "$VERSION" ]]; then
echo "Comparing against vulnerable ranges..."
echo "Vulnerable: All versions below 11.10.0.2, 11.9.1.2, and 11.8.x and lower."
echo "Please verify manually against Ivanti Security Advisory."
echo "URL: https://forums.ivanti.com/s/article/KB-Endpoint-Manager-Mobile-EPMM-Security-Advisory-for-CVE-2023-35082"
else
echo "Could not determine version automatically. Please check via Admin Console."
fi
# Check for recent suspicious modifications in webroot
echo "Checking for recently modified files in /mifs/ (potential webshells)..."
find /mifs/ -type f -mtime -1 -ls 2>/dev/null
Remediation
Given the active exploitation status, immediate action is required.
1. Patch Immediately: Upgrade to the latest patched versions released by Ivanti. Vulnerable versions must be updated to:
- Version 11.10: Upgrade to 11.10.0.2 or later
- Version 11.9: Upgrade to 11.9.1.2 or later
- Version 11.8 and below: Migrate to a supported fixed version immediately.
2. Network Segmentation (Workaround): If patching is not immediately feasible, restrict access to the management interface.
- Block internet traffic to the EPMM management interface (ports 8080, 8443, and 443) from untrusted networks.
- Ensure access is only allowed via VPN or from specific internal management subnets.
3. Threat Hunt: Assume compromise if your system was exposed. Check logs for:
- Unusual
POSTrequests to/mifs/endpoints. - Creation of unexpected users or cron jobs on the underlying Linux OS.
- Outbound connections from the EPMM server to unknown IPs (C2 traffic).
4. Reset Credentials: If exploitation is suspected, rotate all administrative credentials and secrets stored within the EPMM platform.
Vendor Advisory: Ivanti Security Advisory for CVE-2023-35082
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.