The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a now-patched important flaw impacting Ivanti Endpoint Supervisor Cellular (EPMM) and MobileIron Core to its Recognized Exploited Vulnerabilities (KEV) catalog, stating it is being actively exploited within the wild.
The vulnerability in query is CVE-2023-35082 (CVSS rating: 9.8), an authentication bypass that is a patch bypass for an additional flaw in the identical resolution tracked as CVE-2023-35078 (CVSS rating: 10.0).
“If exploited, this vulnerability permits an unauthorized, distant (internet-facing) actor to doubtlessly entry customers’ personally identifiable data and make restricted adjustments to the server,” Ivanti famous in August 2023.
All variations of Ivanti Endpoint Supervisor Cellular (EPMM) 11.10, 11.9 and 11.8, and MobileIron Core 11.7 and under are impacted by the vulnerability.
Cybersecurity agency Rapid7, which found and reported the flaw, stated it may be chained with CVE-2023-35081 to allow an attacker to write down malicious internet shell recordsdata to the equipment.
There are presently no particulars on how the vulnerability is being weaponized in real-world assaults. Federal businesses are advisable to use vendor-provided fixes by February 8, 2024.
The disclosure comes as two different zero-day flaws in Ivanti Join Safe (ICS) digital personal community (VPN) units (CVE-2023-46805 and CVE-2024-21887) have additionally come below mass exploitation to drop internet shells and passive backdoors, with the corporate anticipated to launch updates subsequent week.
“We’ve got noticed the risk actor goal the configuration and working cache of the system, which comprises secrets and techniques necessary to the operation of the VPN,” Ivanti stated in an advisory.
“Whereas we’ve not noticed this in each occasion, out of an abundance of warning, Ivanti is recommending you rotate these secrets and techniques after rebuild.”
Volexity, earlier this week, revealed that it has been capable of finding proof of compromise of over 1,700 units worldwide. Whereas preliminary exploitation was linked to a suspected Chinese language risk actor named UTA0178, further risk actors have since joined the exploitation bandwagon.
Additional reverse engineering of the dual flaws by Assetnote has uncovered an extra endpoint (“/api/v1/totp/user-backup-code”) by which the authentication bypass flaw (CVE-2023-46805) could possibly be abused on older variations of ICS and procure a reverse shell.
Safety researchers Shubham Shah and Dylan Pindur described it as “one other instance of a safe VPN machine exposing itself to large scale exploitation as the results of comparatively easy safety errors.”
