Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Managed WAF Start at $99

Remote Unauthenticated API Access Vulnerabilities in Ivanti

Posted DateAugust 8, 2023
Posted Time 3   min Read

Ivanti has warned users of its Endpoint Manager Mobile (EPMM) mobile device management (MDM) platform, urging immediate actions to address two vulnerabilities – including a zero-day exploit.

These vulnerabilities can potentially be exploited by an unauthorized attacker, leading to unauthorized access to sensitive data and the execution of malicious actions on the affected system.

Analyzing Identified API Access Vulnerabilities

Formerly known as MobileIron Core, Ivanti Endpoint Manager Mobile (EPMM) is a management platform that provides organizations with the means to manage mobile devices, including smartphones and tablets.

As of now, Ivanti has disclosed two remote API access vulnerabilities:

  • CVE-2023-35078 (July 24, 2023)
  • CVE-2023-35082 (August 2, 2023)


Severity: Critical

CVSSv3.1: Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv2: Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes.

Exploit complexity: Low

CVE-2023-35078 is a remote unauthenticated API access vulnerability that affects Ivanti EPMM. An unauthorized attacker can potentially exploit this vulnerability to gain unauthorized access to sensitive data and perform malicious actions on the affected system.

Successful exploitation of this vulnerability could lead to various security risks, including but not limited to:

  1. Unauthorized access to sensitive information stored within Ivanti EPMM.
  2. Execution of unauthorized administrative actions, potentially compromising the integrity and availability of your data and resources
  3. Unintended disclosure of confidential data to unauthorized parties

All supported versions, including Version 11.4 with its releases 11.10, 11.9, and 11.8, are affected by this vulnerability. Furthermore, this issue also extends to product versions that no longer receive support.

In response to the identified vulnerability, Ivanti promptly released patches for versions,, and

For EPMM Unsupported Releases (<, Ivanti highly recommends upgrading to the latest version of EPMM; if you cannot upgrade, apply an RPM fix.

Active Exploitations

Ivanti has confirmed instances of CVE-2023-35078 being exploited in real-world scenarios, impacting a “very limited number of customers.” Further validating this, the Norwegian National Security Authority (NSM) has affirmed the utilization of CVE-2023-35078 to breach a government-operated software platform.

In parallel, the CISA also issued an advisory regarding the vulnerability, incorporating it into their Known Exploited Vulnerabilities (KEV) list.


Severity: Critical

CVSSv3.1: Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSSv2: Base Score: 9.3 HIGH

Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes.

Exploit complexity: Low

CVE-2023-35082 is another remote unauthenticated API access vulnerability that affects Mobilelron Core versions 11.2 and older. Like CVE-2023-35078, this vulnerability can enable a remote unauthenticated attacker to access API endpoints on a publicly exposed management server, utilizing them for diverse operations.

The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug.

Note: MobileIron Core 11.2 has been out of support since March 15, 2022.

Prevention and Mitigation

  • Without delay, apply the relevant updates provided by Ivanti to vulnerable systems, following proper testing.
  • Employ vulnerability scanning to identify possible software vulnerabilities that require mitigation.
  • Implement the pinciple of least privilege across all systems and services. Running software with non-administrative privileges helps minimize the impact of a successful attack.

AppTrana WAAP Threat Coverage

AppTrana customers are protected from these vulnerabilities from Day 0.

Apart from the patches provided by the vendor, AppTrana WAAP offers additional protection patterns that can serve as an extra layer of defense against potential exploits.

To ensure the security of our customers, Indusface managed security team developed the rules to generate Ivanti-related alerts and block attempts to exploit.

Rule ID Name
99901 Remote Unauthenticated API Access Vulnerability (CVE-2023-35078)



  • Advisory :
  • Advisory :
  • Patch :

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Blog Business Logic main
What is Business Logic Vulnerability?

Discover what a business logic vulnerability is, how it can harm your software, and what you can do to protect against it.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!