Security News > 2023 > July > Ivanti plugs critical bug – but not before it was used against Norwegian government

Ivanti plugs critical bug – but not before it was used against Norwegian government
2023-07-26 06:27

A critical security flaw in Ivanti's mobile endpoint management code was exploited and used to compromise 12 Norwegian government agencies before the vendor plugged the hole.

On Monday, the US government's Cybersecurity and Infrastructure Security Agency added CVE-2023-35078 to its Known Exploited Vulnerabilities Catalog that should be urgently patched.

After initially taking down an advisory with details about the bug, and then hiding the advisory behind a paywall, on Tuesday Ivanti finally posted a public-facing security alert about CVE-2023-35078 - a remote authentication bypass vulnerability, which received a nastily perfect 10 out of 10 CVSS severity rating.

A spokesperson for the software maker told The Register it was informed of the security flaw late last week by said "Credible source," and made the patch available to customers on Sunday.

The spinner denied reports that Ivanti forced customers to sign a non-disclosure agreement specifically about this vulnerability, though said its security updates are typically shared confidentially.

Later in the day, Norway disclosed the software that had been exploited was Ivanti's EPMM. The country's National Security Authority said it waited until Ivanti's patch was generally available before naming the software.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/07/26/ivanti_patch_norway_ciso/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-07-25 CVE-2023-35078 Improper Authentication vulnerability in Ivanti Endpoint Manager Mobile
An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
network
low complexity
ivanti CWE-287
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Ivanti 27 0 51 157 75 283