Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild.
The new vulnerability, tracked as CVE-2023-35081 (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL).
CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server, the company said in an advisory. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable).
A successful exploit could allow a threat actor to write arbitrary files on the appliance, thereby enabling the malicious party to execute OS commands on the appliance as the tomcat user.
As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081, the company added.
Cybersecurity firm Mnemonic, which discovered and reported the flaw, said it observed CVE-2023-35081 being used together with CVE-2023-35078 to write JSP and Java .class files to disk.
These files were loaded into a running Apache Tomcat instance and enabled an external actor to run malicious Java bytecode on the affected servers, the company said.
It’s worth noting that CVE-2023-35078 is a critical remote unauthenticated API access vulnerability that permits remote attackers to obtain sensitive information, add an EPMM administrative account, and change the configuration because of an authentication bypass.
The security flaws have been exploited by unknown actors targeting Norwegian government entities, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an alert urging users and organizations to apply the latest fixes.
The development also comes as the Google Project Zero team said 41 in-the-wild 0-days were detected and disclosed in 2022, down from 69 in 2021, noting that 17 of those are variants of previously public vulnerabilities.
Similar to the overall numbers, there was a 42% drop in the number of detected in-the-wild 0-days targeting browsers from 2021 to 2022, dropping from 26 to 15, Google TAG researcher Maddie Stone said.
We assess this reflects browsers’ efforts to make exploitation more difficult overall as well as a shift in attacker behavior away from browsers towards zero-click exploits that target other components on the device.
