HomePentest-Tools.com Logo

Ivanti Endpoint Manager Mobile (EPMM) - Unauthenticated API Access (CVE-2023-35078)

Severity
CVSSv3 Score
10
Vulnerability description

Ivanti MobileIron is vulnerable to CVE-2023-35078, a vulnerability that allows unauthenticated access to specific API paths. The root cause of this vulnerability is improper authentication validation. This vulnerability allows an unauthenticated remote attacker to access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.

Risk description

The risk exists that an unauthenticated remote attacker could gain full access to the exposed API and access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.

Exploit capabilities

Sniper can extract custom artefacts as evidence from the target system.

Recommendation

Update Ivanti EPMM to one of the currently fixed versions (11.10.0.2, 11.9.1.1, 11.8.1.1 and above).

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Jul 2023
Published at
Updated at
Software Type
Unified Endpoint Manager
Vendor
Ivanti
Product
Endpoint Manager Mobile