Security News > 2023 > July > Ivanti plugs critical bug – but not before it was used against Norwegian government

A critical security flaw in Ivanti's mobile endpoint management code was exploited and used to compromise 12 Norwegian government agencies before the vendor plugged the hole.

On Monday, the US government's Cybersecurity and Infrastructure Security Agency added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog that should be urgently patched.

After initially taking down an advisory with details about the bug, and then hiding the advisory behind a paywall, on Tuesday Ivanti finally posted a public-facing security alert about CVE-2023-35078 - a remote authentication bypass vulnerability, which received a nastily perfect 10 out of 10 CVSS severity rating.

A spokesperson for the software maker told The Register it was informed of the security flaw late last week by said "Credible source," and made the patch available to customers on Sunday.

The spinner denied reports that Ivanti forced customers to sign a non-disclosure agreement specifically about this vulnerability, though said its security updates are typically shared confidentially.

Later in the day, Norway disclosed the software that had been exploited was Ivanti's EPMM. The country's National Security Authority said it waited until Ivanti's patch was generally available before naming the software.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/07/26/ivanti_patch_norway_ciso/