Ivanti EPMM CVE-2023-35082: API Traversal Hitting Government MDM
Cybersecurity
Path traversal in Ivanti EPMM exposed MDM APIs without authentication. CISA issued an emergency advisory after government sector breaches were confirmed on the platform.
By Arjun Raghavan, Security & Systems Lead, BIPI · November 6, 2024 · 8 min read
CVE-2023-35082 is an authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. The flaw resides in the API gateway layer and allows an unauthenticated remote attacker to access the EPMM REST API without credentials. CVSS 3.1 base score is 9.8. The vulnerability was disclosed in August 2023, weeks after two related Ivanti zero-days (CVE-2023-35078 and CVE-2023-35081) had already been exploited against Norwegian government systems.
Path Traversal Mechanics
The EPMM application server applies authentication checks to API routes based on URL prefix matching. Certain API paths are allowlisted for unauthenticated access (such as device enrollment endpoints). By inserting a path traversal sequence (/;/api/) in the URL, an attacker can access privileged API endpoints while bypassing the authentication middleware, because the prefix check passes on the traversal-modified path while the backend servlet still resolves it to a protected route.
Affected Versions
- Ivanti EPMM (MobileIron Core) 11.2 and all prior versions
- All versions below 11.10.0.2 are affected
- Ivanti Neurons for MDM (cloud) is NOT affected
- MobileIron Cloud is NOT affected
- On-premises deployments only
Government Targeting and CISA Advisory
CISA issued an emergency advisory (AA23-213A) documenting exploitation of Ivanti EPMM vulnerabilities against multiple Norwegian government agencies. The Norwegian National Security Authority (NSM) confirmed that attackers used API traversal to enumerate enrolled mobile devices and user accounts, then pivoted to additional internal systems using data extracted from the MDM platform. CISA added CVE-2023-35082 to the KEV catalog with a 21-day remediation mandate for federal agencies.
MDM platforms are exceptionally valuable targets: they hold device inventories, user identity data, certificate authorities, configuration profiles, and sometimes corporate WiFi credentials for every enrolled endpoint in the organization.
What Attackers Can Access Via the Unauthenticated API
- Full enumeration of enrolled mobile devices and their attributes
- User account directory including names, email addresses, and phone numbers
- Device certificates and configuration profiles
- Corporate WiFi and VPN configuration details pushed via MDM profiles
- Application inventory for enrolled devices
- In some configurations: ability to push new profiles or wipe devices
Detection
Review EPMM web server access logs for requests containing semicolons or path traversal sequences (;/api/, %3b/api/) in the URI path. Legitimate EPMM clients do not generate such patterns. Volume of API requests from a single source IP during off-hours is also a high-fidelity indicator of automated enumeration.
Remediation
- Upgrade to Ivanti EPMM 11.10.0.2 or later
- If patching is not immediately possible, restrict access to the EPMM server to VPN or allowlisted IPs
- Audit all API access logs for traversal patterns
- Rotate credentials for any accounts visible in the EPMM user directory
- Review all MDM-pushed profiles for unauthorized modifications
- File an incident report if Norwegian-pattern IOCs are present
Broader MDM Security Posture
- MDM admin consoles must never be exposed directly to the internet
- Segment the MDM server on a dedicated management VLAN
- Enable certificate-based mutual TLS for MDM API clients
- Monitor MDM audit logs for bulk device queries and profile changes
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.