Ivanti Endpoint Manager Mobile (EPMM) - Unauthenticated API Access (CVE-2023-35078)
- Severity
- CVSSv3 Score
- 10
- Vulnerability description
Ivanti MobileIron is vulnerable to CVE-2023-35078, a vulnerability that allows unauthenticated access to specific API paths. The root cause of this vulnerability is improper authentication validation. This vulnerability allows an unauthenticated remote attacker to access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.
- Risk description
The risk exists that an unauthenticated remote attacker could gain full access to the exposed API and access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.
- Exploit capabilities
Sniper can extract custom artefacts as evidence from the target system.
- Recommendation
Update Ivanti EPMM to one of the currently fixed versions (11.10.0.2, 11.9.1.1, 11.8.1.1 and above).
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Jul 2023
- Published at
- Updated at
- Software Type
- Unified Endpoint Manager
- Vendor
- Ivanti
- Product
- Endpoint Manager Mobile