Ivanti EPMM is affected by CVE-2023-35801. It’s a Zero-day vulnerability as it’s being exploited in the wild by threat actors as per CISA threat advisory This CVE-2023-35801 allows an Ivanti Administrator to perform arbitary write operations on files with the same privileges as EPMM web application server!
Using this vulnerability along with CVE-2023-35078, it seems threat actors can gain initial access to the affected EPMM systems and then execute webshells to further gain more privileges on the EPMM(Ivanti Endpoint Manager Mobile) server. This vulnerability has been recently patched by Ivanti and the users are advised to apply the latest patches!
According to CISA “Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.”
How the APT actors worked?
These are the ways APT actors have successfully expolited CVE-2023-35078! The actors have first targeted routers to proxy to the target infrastructure and from there they have gained access to EPMM devices using CVE-2023-35078.
And from there they performed LDAP queries and retrieved LDAP endpoints. Then using the api path “
mifs/aad/api/v2/authorized/users” to get the users and administrators on the EPMM device. After that they had some EPMM configuration changes and were checking the EPMM Core Audit logs. They have also deleted httpd logs which had string “Firefox/107.0” with mi.war which is malicious tomcat application.
APT actors had run some shell commands on the EPMM device (This has been done by exploiting CVE-2023-35081 to upload webshells on the EPMM device and run commands). Then the APT actors have tunneled their traffic through Invanti Sentry that supports EPMM to gain access to one of the exchange servers. They have also installed mi.war on Ivanti Sentry to gain access to the Sentry server