Ivanti Zero-Day Used in Norway Government Breach

Tracked as CVE-2023-35078 and assigned a 10 on the CVSS scale, the vulnerability is a remote unauthenticated API access flaw, Ivanti’s security advisory states.

See Also: OnDemand Webinar | Third-Party Risk, ChatGPT & Deepfakes: Defending Against Today’s Threats

“An attacker with access to these API paths can access personally identifiable information such as names, phone numbers, and other mobile device details for users on a vulnerable system,” the U.S. Cybersecurity and Infrastructure Security Agency said in a Monday alert.

CISA added that an attacker can also use the bug to make configuration changes and create an administrative account.

The zero-day affects all supported and unsupported versions of the product. Ivanti said only a limited number of customers had been affected.

British cybersecurity expert Kevin Beaumont tracked the worldwide deployment of the internet-facing MobileIron instances and found that many U.S. government agencies and European organizations – including those at the 10 Downing Street in London – use the Ivanti platform.

A search on Shodan, an internet of things scanning platform, showed that more than 2,900 MobileIron user portals are presently exposed online, of which nearly two dozen are linked to the U.S. local and state government agencies.

“This one is completely nuts btw, I set up a honeypot and it’s already being probed via the API – which allows admin access and is completely unauthenticated, apparently nobody ever pentested one of the most widely used MDM solutions,” Beaumont said.

Security agencies around the globe, including the Australian Cyber Security Center, have urged users to review their networks for use of vulnerable instances of the platform and to patch immediately.