CVE-2023-35082

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM), formerly branded as MobileIron Core, is an enterprise Mobile Device Management (MDM) platform used by organizations to centrally manage and secure smartphones, tablets, and other mobile devices across their workforce. It is widely deployed in government agencies, healthcare organizations, and large enterprises to enforce mobile security policies, distribute applications, and manage device compliance.

Key functions include:

• Device enrollment and lifecycle management — provision, configure, and retire corporate and BYOD mobile devices
• Policy enforcement — push security policies (encryption, screen lock, app restrictions) to enrolled devices
• Application management — distribute, update, and remotely wipe enterprise applications from a central console
• VPN and network access — configure and distribute VPN profiles and certificates to managed endpoints
• Compliance monitoring — continuously assess enrolled device posture and flag non-compliant devices

EPMM and its predecessor MobileIron Core are typically deployed as on-premises appliances with management interfaces exposed to the internet for device check-ins. Many organizations running older end-of-life MobileIron Core versions — particularly government agencies and healthcare organizations with long refresh cycles — were particularly exposed by CVE-2023-35082, which specifically targeted versions that had already passed vendor support end-of-life dates.

Overview

CVE-2023-35082 is a critical authentication bypass vulnerability (CWE-287) affecting Ivanti EPMM and MobileIron Core that allows unauthenticated remote attackers to access API endpoints on an exposed management server. It is a closely related variant of CVE-2023-35078 and was discovered while investigating that earlier vulnerability.

CVE-2023-35082 was initially reported as affecting only MobileIron Core version 11.2 and earlier — the legacy, unsupported predecessor to EPMM — but Ivanti's subsequent investigation found additional exploitation paths affecting all EPMM versions 11.10, 11.9, and 11.8 as well. Because MobileIron Core 11.2 reached end-of-life in March 2022, Ivanti did not release a direct patch for end-of-life versions, leaving organizations on unsupported releases with no vendor-supported remediation path other than upgrading to a current EPMM version.

The vulnerability was added to the CISA KEV catalog in January 2024 — approximately five months after public disclosure — confirming that exploitation was ongoing well after the initial disclosure period. When chained with CVE-2023-35081, attackers can escalate from unauthenticated API access to webshell deployment and remote code execution.

Affected Versions

Ivanti released RPM mitigation scripts for versions 11.10 through 11.3. MobileIron Core 11.2 and older reached end-of-life on March 15, 2022, and will not receive a patch; operators must upgrade to a supported EPMM version.

Technical Details

CVE-2023-35082 is structurally similar to CVE-2023-35078 — both are improper authentication vulnerabilities (CWE-287) that expose EPMM API endpoints without requiring valid credentials. The vulnerability allows a remote unauthenticated attacker to access API endpoints on an exposed management server by crafting requests that bypass the authentication enforcement layer.

Exploiting the API access, an attacker can:

• Access and extract personally identifiable information (PII) including names, phone numbers, email addresses, and mobile device identifiers for enrolled users
• Perform configuration modifications on the EPMM platform
• Leverage the access as a stepping stone for further exploitation

Relationship to CVE-2023-35078: While CVE-2023-35078 and CVE-2023-35082 are distinct CVEs, they represent the same class of flaw — missing or insufficient authentication enforcement on API paths. CVE-2023-35082 was discovered by Rapid7 while investigating CVE-2023-35078, suggesting the root cause exists in a common authentication control layer. Ivanti's expanded advisory (August 7, 2023) revealed that CVE-2023-35082 affected a broader range of versions than initially understood.

Chaining with CVE-2023-35081: CVE-2023-35081 (path traversal / arbitrary file write) can be chained with CVE-2023-35082 in the same way it chains with CVE-2023-35078 — using the authentication bypass to gain effective administrator-level access, then using the file write primitive to deploy a webshell for persistent remote code execution.

Attack characteristics:

• No credentials or prior access required
• Exploitable over the internet against any exposed EPMM or MobileIron Core management interface
• Particularly impactful for organizations on end-of-life MobileIron Core versions with no patch available

Discovery

CVE-2023-35082 was discovered by Rapid7 while investigating CVE-2023-35078. Rapid7 reported the vulnerability to Ivanti on July 26, 2023, and published their disclosure blog on August 2, 2023. The initial disclosure described the affected scope as MobileIron Core 11.2 and earlier; Ivanti subsequently updated its advisory on August 7, 2023, to document the broader impact across current EPMM versions.

Exploitation Context

CVE-2023-35082 was added to the CISA KEV catalog on January 18, 2024 — approximately five months after public disclosure — indicating continued active exploitation:

• Delayed KEV addition: The five-month gap between public disclosure (August 2023) and KEV addition (January 2024) suggests that exploitation was identified or confirmed well after the initial patch cycle, likely targeting organizations that had not yet remediated despite prior disclosure.
• End-of-life version exposure: The vulnerability disproportionately affected organizations running MobileIron Core 11.2 and earlier — versions that had already passed end-of-life in March 2022 and for which no patch exists, leaving administrators with no option other than a full platform upgrade.
• Chaining risk: When combined with CVE-2023-35081, CVE-2023-35082 provides an unauthenticated path to arbitrary file write and webshell deployment, enabling persistent RCE on compromised EPMM appliances.
• Continued EPMM targeting: The exploitation of CVE-2023-35082 fits into a sustained pattern of nation-state and criminal threat actor interest in Ivanti EPMM, following the Norwegian government campaign that exploited CVE-2023-35078 and CVE-2023-35081.

Remediation

1. Apply RPM mitigation scripts — for EPMM versions 11.10 through 11.3, apply the Ivanti-provided RPM scripts released in August 2023
2. Upgrade to EPMM 11.11 or later — the permanent fix for CVE-2023-35082 is included in EPMM 11.11; RPM scripts are a temporary mitigation, not a permanent fix
3. Upgrade from end-of-life MobileIron Core — organizations on MobileIron Core 11.2 and earlier have no patch available; the only remediation is upgrading to a current EPMM release
4. Also address CVE-2023-35081 — the path traversal companion vulnerability must be patched separately to eliminate the webshell-deployment attack chain
5. Restrict internet access to the management interface — EPMM and MobileIron Core management interfaces should not be directly reachable from the public internet; implement VPN gateways or firewall ACLs limiting access to known IP ranges
6. Review API access logs — examine server logs for unauthenticated requests to EPMM API endpoints; patterns consistent with CVE-2023-35082 exploitation are detectable through log review
7. Hunt for webshells and persistence mechanisms — if compromise is suspected, search for unexpected JSP files in EPMM web-accessible directories and audit the system for post-exploitation artifacts