Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities

This week, CISA and the Norwegian National Cyber Security Centre (NCSC-NO) released a joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells. 

In July 2023, NCSC-NO became aware of advanced persistent threat (APT) actors exploiting a zero-day vulnerability in Ivanti EPMM, formerly known as MobileIron Core, to target a Norwegian government network. CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because threat actors, including APT actors, have previously exploited a MobileIron vulnerability.  

Ivanti released a patch for CVE-2023-35078 on July 23, 2023, but later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.

CISA and NCSC-NO recommend administrators use the CISA developed nuclei templates to determine if their system has these vulnerabilities and use the NCSC-NO developed checklist to identify signs of compromise.  All organizations are encouraged to review Threat Actors Exploiting Ivanti EPMM Vulnerabilities and implement its recommended actions and mitigations. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.