Invanti have recently disclosed a new critical vulnerability in their MobileIron Core mobile device management software. CVE-2023-35082 effects MobileIron Core version 11.2 and older and is a remote unauthenticated API access vulnerability. This vulnerability if exploited by an attacker can allow them to access Personal Identifiable Information as well as backdoor compromised servers by deploying web shells when chaining the bug alongside other vulnerabilities
Ivanti has released a statement that these critical vulnerabilities will not be patched as the flaw has already been fixed in newer versions of the product, rebranded to Endpoint Manager Mobile (EPMM) and MobileIron Core 11.2 has been out of support since March 2022 with MobileIron Core 11.3 and above being unaffected.
Two other vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM) (formerly MobileIron Core) have been exploited by state hackers since April. CVE-2023-35078 is a critical flaw that allows an attacker to bypass authentication and was exploited when it was a zero-day to attack Norwegian government organisation’s networks.
CISA released a statement regarding the vulnerability and why APTs are eager to attack Mobile Device Management systems - "MDM systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks."