Scroll to top

Get In Touch
541 Melville Ave, Palo Alto, CA 94301,
Ph: +1.831.705.5448

Work Inquiries
Ph: +1.831.306.6725

CVE 2023-35078 (Zero Day)

On 24th July 2023 Mobile Device Management solution from Ivanti got the Zero-day vulnerability which was exploited by hackers to get the data of government organizations.

The first Attack was confirmed by the Norwegian government they told that their MDM solution (product of Ivanti) has a zero-day vulnerability and which affects there 12 ministries in the country.

The flow starts when the MDM solution had integrated the Azure AD code to make the product join with the Azure AD domain but this introduces the flow as this will give the unauthenticated access to the MDM solution API as an admin user.

Technical Details of CVE 2023-35078

As this bug is introduced by a vulnerable endpoint so as an attacker we have to find out the endpoint which is vulnerable and not ask for creds after that we have to change the Uri path of the legitimate request to the vulnerable one.


Normal request: https://example.server/api/v2/

Attacker request: https://example.server/vulnerable path/api/v2/admin/user – To list all users

Attacker request: https://example.server/vulnerable path/api/v2/devices – To list all devices

Attacker request: https://example.server/vulnerable path/api/v2/ldap_entites – To search active directory inside the organization

You can find out whether your MDM solution vulnerability is exploited or not by analyzing your logs if you found abnormal requests like the above then please update to the non-vulnerable version.

Note: Vulnerable endpoint you can find by using a publicly available document –

How you can Find your system to patch?

You can search on Shodan your assets path =/mifs

Affected Versions

A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9, and 11.8. Older versions/releases are also at risk.

If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.

We have received information from a credible source indicating exploitation has occurred. We continue to work with our customers and partners to investigate this situation.

Author avatar
Sanadhya Kaushik

Post a comment

Your email address will not be published. Required fields are marked *