CVE-2023-35081

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM), formerly branded as MobileIron Core, is an enterprise Mobile Device Management (MDM) platform used by organizations to centrally manage and secure smartphones, tablets, and other mobile devices across their workforce. It is widely deployed in government agencies, healthcare organizations, and large enterprises to enforce mobile security policies, distribute applications, and manage device compliance.

Key functions include:

• Device enrollment and lifecycle management — provision, configure, and retire corporate and BYOD mobile devices
• Policy enforcement — push security policies (encryption, screen lock, app restrictions) to enrolled devices
• Application management — distribute, update, and remotely wipe enterprise applications from a central console
• VPN and network access — configure and distribute VPN profiles and certificates to managed endpoints
• Compliance monitoring — continuously assess enrolled device posture and flag non-compliant devices

EPMM is typically deployed as an on-premises appliance with its management interface exposed to the internet for device check-ins — significantly increasing its attack surface. A compromised EPMM server gives an attacker the ability to push malicious profiles, certificates, and applications to every enrolled device, making it an exceptionally high-value pivot point for enterprise and government network intrusion.

Overview

CVE-2023-35081 is a path traversal vulnerability (CWE-22) in Ivanti EPMM that allows an authenticated administrator to write arbitrary files — including webshells — to any location on the appliance's filesystem. While the vulnerability formally requires administrator-level credentials, it was actively exploited in conjunction with CVE-2023-35078 (authentication bypass), which allowed attackers to obtain effective administrator access without valid credentials and then use CVE-2023-35081 to establish persistent access via webshell deployment.

The Norwegian National Cyber Security Centre (NCSC-NO) confirmed active chaining of CVE-2023-35081 with CVE-2023-35078 in the campaign that breached 12 Norwegian government ministries. CVE-2023-35081 was added to the CISA KEV catalog on July 31, 2023 — three days after Ivanti released the patch.

Affected Versions

Technical Details

CVE-2023-35081 is a path traversal vulnerability (CWE-22 — Improper Limitation of a Pathname to a Restricted Directory) in EPMM's file handling functionality. When an authenticated administrator interacts with certain file upload or configuration features, the application fails to adequately validate the destination path. An attacker can inject directory traversal sequences (such as ../) into file path parameters, escaping the intended directory structure and writing files to arbitrary locations on the underlying filesystem.

The EPMM web application server runs with operating system-level privileges, meaning files written via this vulnerability are created with the permissions of the EPMM service account (the tomcat user). An attacker can write a JSP webshell to the EPMM web root, which the Tomcat server will then serve and execute — providing persistent remote code execution.

Exploitation chain with CVE-2023-35078:

1. Attacker sends a crafted unauthenticated request to the EPMM API v2 endpoint (CVE-2023-35078), bypassing authentication
2. Using the unauthenticated API access, the attacker assumes effective administrator-level access to the EPMM management interface
3. The attacker then exploits CVE-2023-35081 to write a JSP webshell to a web-accessible directory (e.g., /var/mobileiron/)
4. The attacker sends HTTP requests to the deployed webshell to execute arbitrary OS commands on the appliance

Attack characteristics:

• As a standalone vulnerability, requires administrator credentials (CVSS PR:H)
• When chained with CVE-2023-35078, effectively becomes an unauthenticated RCE chain
• Enables persistent backdoor access that survives service restarts
• Observed webshells written to /var/mobileiron/ in confirmed incidents

Discovery

CVE-2023-35081 was identified by Ivanti during its investigation of CVE-2023-35078 — Ivanti determined that the authentication bypass vulnerability could be chained with this path traversal to enable more severe exploitation. The Norwegian National Cyber Security Centre (NCSC-NO) confirmed active in-the-wild chaining of both vulnerabilities. The joint CISA/NCSC-NO advisory (AA23-213A) documented the exploitation pattern.

Exploitation Context

CVE-2023-35081 was exploited in the wild as part of the same nation-state campaign that leveraged CVE-2023-35078:

• Chained exploitation confirmed: NCSC-NO observed attackers chaining CVE-2023-35078 and CVE-2023-35081 in the Norwegian government breach, using the authentication bypass to gain access and the path traversal to establish persistent webshell backdoors.
• Webshell deployment: Attackers were observed writing webshell files to /var/mobileiron/ on compromised EPMM appliances. These webshells provided persistent remote command execution that survived server restarts and allowed the APT actors to maintain access even after the initial authentication bypass was mitigated.
• APT campaign context: The same APT actors that exploited CVE-2023-35078 from at least April 2023 through July 2023 leveraged this path traversal vulnerability to convert their initial foothold into persistent access. The actors proxied attack traffic through compromised SOHO routers.
• Impact on Norwegian government: The attack chain ultimately breached the ICT platform used by 12 Norwegian government ministries, with the webshell providing the persistent access used to conduct further reconnaissance and data collection.

Remediation

1. Apply the CVE-2023-35081 patch — upgrade to EPMM 11.10.0.3, 11.9.1.2, or 11.8.1.2; this must be applied in addition to the CVE-2023-35078 patch (11.10.0.2 / 11.9.1.1 / 11.8.1.1)
2. Also patch CVE-2023-35078 — the authentication bypass companion vulnerability enables unauthenticated exploitation of this path traversal; both patches are required to eliminate the attack chain
3. Hunt for webshells — check for unexpected JSP files in /var/mobileiron/ and other EPMM web-accessible directories; any file not placed by the installer should be treated as suspicious
4. Review administrator activity logs — examine EPMM audit logs for file write operations, configuration changes, and API calls made during the exploitation window
5. Restrict internet access to the EPMM management interface — place EPMM behind a VPN gateway or firewall ACLs limiting access to allowlisted IPs; internet exposure of the management interface is what made this attack chain viable
6. Assume compromise if unpatched — if you have not yet applied patches and your EPMM instance was internet-accessible, treat the server as potentially compromised; rotate all administrator credentials and audit enrolled device configurations for unauthorized changes
7. Check enrolled device integrity — if EPMM was compromised via webshell, any configuration profiles, certificates, or applications pushed to enrolled devices during the compromise window should be reviewed and potentially revoked