Security News > 2020 > November > UK urges orgs to patch critical MobileIron CVE-2020-15505 RCE bug

UK urges orgs to patch critical MobileIron CVE-2020-15505 RCE bug
2020-11-24 14:31

The UK National Cyber Security Centre issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution vulnerability in MobileIron mobile device management systems.

NCSC is warning that they are aware of hacking groups actively using the MobileIron CVE-2020-1550 vulnerability to compromise the networks in the healthcare, local government, logistics, and legal sectors.

"The NCSC is aware that Advanced Persistent Threat nation-state groups and cyber criminals are now actively attempting to exploit this vulnerability [T1190] to compromise the networks of UK organisations," the advisory reads.

The MobileIron CVE-2020-15505 vulnerability allows an attacker to remotely execute commands on an MDM server without needing to authenticate.

Researchers released a proof-of-concept exploit for the vulnerability that allows remote attackers to execute commands on vulnerable devices.


News URL

https://www.bleepingcomputer.com/news/security/uk-urges-orgs-to-patch-critical-mobileiron-cve-2020-15505-rce-bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-08-17 CVE-2020-1550 Unspecified vulnerability in Microsoft products
An elevation of privilege vulnerability exists when the Windows CDP User Components improperly handle memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system.
local
low complexity
microsoft
7.8
2020-07-07 CVE-2020-15505 Use of Incorrectly-Resolved Name or Reference vulnerability in Mobileiron products
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.
network
low complexity
mobileiron CWE-706
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Mobileiron 8 0 1 2 5 8