Security News > 2023 > August > Ivanti discloses another vulnerability in MobileIron Core (CVE-2023-35082)

Ivanti has disclosed a critical vulnerability affecting old, out-of-support versions of MobileIron Core, an enterprise device solution that has since been rebranded to Ivanti Endpoint Manager Mobile.

"The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug. It had not previously been identified as a vulnerability," noted Ivanti.

"Since CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application's security filter chain, Rapid7 would consider this new vulnerability a patch bypass for CVE-2023-35078 as it pertains to version 11.2 and below of the product," said Stephen Fewer, principal security researcher at Rapid7, who disclosed this vulnerability to Ivanti.

MobileIron Core v11.2 is no longer supported and Ivanti will not be releasing a patch for this or earlier vulnerable versions.

"We are actively working with our customers to upgrade to the latest version of Ivanti Endpoint Manager Mobile or migrate to the cloud version of the product, Ivanti Neurons for MDM," the IT software maker says.

"Additionally, should a separate vulnerability be present in the API, an attacker can chain these vulnerabilities together. For example, CVE-2023-35081 could be chained with CVE-2023-35082 to allow an attacker write malicious webshell files to the appliance, which may then be executed by the attacker," Fewer added.

News URL

https://www.helpnetsecurity.com/2023/08/03/cve-2023-35082/