CVE-2023-35081: Ivanti EPMM Remote Code Execution Zero-Day Analysis
- [01] Attackers are actively exploiting a high-severity vulnerability to achieve remote code execution on Ivanti mobile device management servers.
- [02] Affected systems include Ivanti Endpoint Manager Mobile versions 11.10, 11.9, 11.8, and all older unsupported releases.
- [03] Administrators must immediately upgrade to the latest patched versions of EPMM to prevent unauthorized file writes and system compromise.
Ivanti has issued an urgent advisory regarding CVE-2023-35081, a high-severity CVE affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This Zero-Day vulnerability allows an attacker with administrator Privilege Escalation capabilities to perform an RCE via a malicious file upload. According to BleepingComputer, the vulnerability is being actively exploited in targeted attacks. Security teams are advised that the process to remediate Ivanti Endpoint Manager Mobile vulnerability should be prioritized given the weaponization of this flaw.
Technical Analysis: Ivanti EPMM 11.10 remote code execution
The technical root cause of CVE-2023-35081 is a path traversal flaw that enables an authenticated administrator to write arbitrary files to the appliance’s underlying operating system. While the flaw requires administrative access, it becomes exceptionally dangerous when chained with other vulnerabilities. For instance, if an attacker leverages a bypass to gain administrative entry, they can use this flaw to drop web shells or other malicious binaries directly onto the server.
Analyzing the Ivanti EPMM 11.10 remote code execution risk reveals that the vulnerability affects specific web components of the management console. Once an attacker successfully uploads a web shell or a malicious script, they can establish a C2 connection. This level of access facilitates Lateral Movement within the corporate network, as the MDM server often resides in a sensitive zone with reach into both internal directories and external mobile endpoints.
Exploitation Context
The SOC teams at affected organizations may observe unusual file creation events in directories associated with the EPMM web server. This vulnerability was disclosed following a critical APT campaign targeting government infrastructure, which demonstrated the high value of mobile device management (MDM) solutions to sophisticated actors. Because MDM servers maintain high-level permissions over a fleet of mobile devices, they serve as a central point of failure. A compromise here allows for the potential exfiltration of sensitive mobile data or the deployment of further malware to enrolled devices.
Implementing CVE-2023-35081 exploit detection
To implement CVE-2023-35081 exploit detection, defenders should review web server logs for requests to unusual endpoints or the presence of unexpected JSP files in the web root. Integrating these IoC signatures into a SIEM or EDR solution is recommended for continuous monitoring.
The primary MITRE ATT&CK technique associated with this threat is T1190 (Exploit Public-Facing Application). Organizations should adopt a Zero Trust architecture to limit the exposure of management interfaces to the public internet. This includes utilizing strong multi-factor authentication and restricting administrative access to trusted internal IP ranges.
Actionable Mitigations
- Immediately upgrade to EPMM versions 11.10.0.2, 11.9.1.1, or 11.8.1.1.
- Conduct a thorough audit of administrator logs for unauthorized account creation or suspicious configuration changes.
- Ensure that all management interfaces are behind a VPN or protected by strict IP whitelisting to reduce the attack surface.
Advertisement