The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.
In July 2023, NCSC-NO became aware of advanced persistent threat (APT) actors exploiting a zero-day vulnerability in Ivanti EPMM, formerly known as MobileIron Core, to target a Norwegian government network. CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because threat actors, including APT actors, have previously exploited a MobileIron vulnerability.
Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.
CISA and NCSC-NO recommend administrators use the CISA developed nuclei templates to determine if their system has these vulnerabilities and use the NCSC-NO developed checklist to identify signs of compromise.
All organizations are urged to review Threat Actors Exploiting Ivanti EPMM Vulnerabilities and implement its recommended actions and mitigations.
