CVE-2023-35078

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM), formerly branded as MobileIron Core, is an enterprise Mobile Device Management (MDM) platform used by organizations to centrally manage and secure smartphones, tablets, and other mobile devices across their workforce. It is widely deployed in government agencies, healthcare organizations, and large enterprises to enforce mobile security policies, distribute applications, and manage device compliance.

Key functions include:

• Device enrollment and lifecycle management — provision, configure, and retire corporate and BYOD mobile devices
• Policy enforcement — push security policies (encryption, screen lock, app restrictions) to enrolled devices
• Application management — distribute, update, and remotely wipe enterprise applications from a central console
• VPN and network access — configure and distribute VPN profiles and certificates to managed endpoints
• Compliance monitoring — continuously assess enrolled device posture and flag non-compliant devices

EPMM is typically deployed as an on-premises appliance with its management interface exposed to the internet for device check-ins — which significantly increases its attack surface. As an MDM server, a compromised EPMM instance gives attackers visibility into every enrolled device's identity, network configuration, and communications metadata. It also provides the ability to push malicious profiles, certificates, or applications to all enrolled devices, making it an exceptionally high-value target for nation-state espionage operations.

Overview

CVE-2023-35078 is a critical authentication bypass vulnerability (CWE-287) in Ivanti EPMM that allows an unauthenticated remote attacker to access specific API paths without any credentials. By manipulating the URI path to the EPMM API v2 endpoint, attackers can bypass all authentication controls and directly reach protected API functionality.

Successful exploitation allows an attacker to access personally identifiable information (PII) — including names, phone numbers, and mobile device details of enrolled users — and to make configuration changes including installing software and modifying security profiles on managed devices. When chained with the companion vulnerability CVE-2023-35081 (path traversal), attackers can achieve unauthenticated remote code execution by writing webshells to the server.

This vulnerability was exploited as a zero-day from at least April 2023 — approximately three months before public disclosure — in a confirmed nation-state campaign that breached the IT platform used by 12 Norwegian government ministries. It was added to the CISA KEV catalog on the same day it was publicly disclosed, reflecting confirmed active exploitation.

Affected Versions

Organizations on unsupported versions prior to 11.8.1.0 were instructed to immediately upgrade to a supported version.

Technical Details

CVE-2023-35078 is an improper authentication vulnerability (CWE-287) rooted in the EPMM API routing layer. The API v2 endpoint allows unauthenticated access by manipulating the URI path — authentication enforcement is missing for certain API routes, meaning an attacker can construct a crafted request that bypasses authentication controls entirely without needing a valid session or credentials.

Once an unauthenticated attacker has access to the API, they can:

• Query and extract PII from the user and device database (names, phone numbers, IMEI numbers, email addresses)
• Enumerate managed devices and their configuration details
• Make configuration changes to the EPMM server
• Install software or push modified security profiles to enrolled devices

Chaining with CVE-2023-35081: NCSC-NO observed active chaining of CVE-2023-35078 with CVE-2023-35081. CVE-2023-35081 allows an authenticated administrator to write arbitrary files via path traversal — but when combined with CVE-2023-35078's authentication bypass, an unauthenticated attacker gains effective administrator-level write access, enabling webshell deployment. Observed webshells were written to directories such as /var/mobileiron/.

Attack characteristics:

• No authentication, session, or prior access required
• Exploitable from the internet against any EPMM instance with a reachable management interface
• Low attack complexity — URI path manipulation only
• Exploitation was actively occurring for approximately 3 months before vendor disclosure

Discovery

The vulnerability was identified and reported to Ivanti by mnemonic, a Norwegian cybersecurity firm, during incident response operations following the Norwegian government breach. Ivanti acknowledged mnemonic's assistance in the joint CISA/NCSC-NO advisory. NCSC-NO also contributed to the joint advisory and coordinated disclosure with Ivanti. The Norwegian National Security Authority publicly confirmed that the vulnerability was used to breach a software platform serving 12 Norwegian government ministries.

Exploitation Context

CVE-2023-35078 has confirmed nation-state exploitation and represents one of the most consequential zero-day campaigns of 2023:

• Zero-day window: APT actors exploited this vulnerability from at least April 2023, roughly three months before the July 23, 2023 patch release — a significant pre-disclosure exploitation period.
• Norwegian government breach: Attackers used CVE-2023-35078 to access and compromise a centralized IT platform used by 12 Norwegian government ministries. The Norwegian National Security Authority confirmed the breach and characterized it as a serious incident targeting national government infrastructure.
• SOHO router proxying: The joint CISA/NCSC-NO advisory noted that APT actors proxied their attack traffic through compromised small office/home office (SOHO) routers, a common technique used to obscure attribution and evade IP-based blocking.
• Exploitation scope: Beyond Norway, the advisory noted that APT actors gathered information from several Norwegian organizations and used the vulnerability to gain initial access to government network infrastructure.
• Chaining: Active chaining with CVE-2023-35081 was observed in the wild, enabling webshell deployment and persistent access.
• Broad exposure: The vulnerability affected all EPMM instances with internet-exposed management interfaces — a common deployment model for government and enterprise customers.

Remediation

1. Apply the emergency patch immediately — upgrade to EPMM 11.10.0.2, 11.9.1.1, or 11.8.1.1 depending on your installed version branch; for versions prior to 11.8, upgrade to a supported release first
2. Also patch CVE-2023-35081 — the path traversal companion vulnerability (fixed July 28, 2023) should be applied simultaneously to eliminate the webshell-deployment attack chain
3. Restrict internet access to the EPMM management interface — place EPMM behind a VPN gateway or restrict access to allowlisted IP ranges using firewall ACLs; the management interface should not be directly reachable from the public internet
4. Review API access logs — examine EPMM web server logs for unauthenticated requests to API v2 endpoints; mnemonic noted that exploitation is detectable by reviewing logs for anomalous API v2 access patterns
5. Hunt for webshells — if you have not yet patched, check for unexpected files in /var/mobileiron/ and other EPMM directories, particularly .jsp files that were not placed by the installer
6. Audit enrolled device changes — review configuration changes, software deployments, and security profile modifications made during the potential exploitation window (April–July 2023)
7. Treat EPMM server as potentially compromised if exploitation indicators are present — this includes rotating EPMM administrator credentials and reviewing all enrolled device profiles