October 3, 2023

Ivanti disclosed yet another new critical vulnerability in its MobileIron Core mobile device management software.

Tracked as CVE-2023-35082, the flaw is a remote unauthenticated API access vulnerability affecting MobileIron Core version 11.2 and older.

Successful exploitation allows attackers to access personally identifiable information of mobile device users and backdoor compromised servers by deploying web shells when chaining the bug with other flaws.

Ivanti said since MobileIron Core 11.2 has been out of support since March 15, 2022 would not issue security patches to fix this flaw because it has already been addressed in newer versions of the product, rebranded to Endpoint Manager Mobile (EPMM).

This vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM.

More than 2,200 MobileIron user portals are currently exposed online, as per the shodan search, including devices connected to the U.S. local and state government agencies.

More information can be found in the link of Rapid7 blog who discovered the flaw.

Leave a Reply

%d bloggers like this: