{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/epmm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Endpoint Manager Mobile"],"_cs_severities":["critical"],"_cs_tags":["ivanti","epmm","cve-2023-35078","unauthenticated-access"],"_cs_type":"threat","_cs_vendors":["Ivanti"],"content_html":"\u003cp\u003eCVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) versions up to 11.4. This vulnerability allows unauthenticated remote API access, enabling attackers to bypass authentication and access sensitive data and functionalities. Publicly available proof-of-concept (POC) exploits exist, increasing the risk of widespread exploitation. Successful exploitation can result in unauthorized access to user data, system configuration, and other sensitive resources managed by the EPMM server. The vulnerability has been actively exploited in the wild, posing a significant threat to organizations using affected Ivanti EPMM versions. Defenders should prioritize patching and implement detection measures to identify and prevent exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Ivanti EPMM server running a vulnerable version (\u0026lt;= 11.4).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/mifs/aad/api/v2/authorized/users?*\u003c/code\u003e endpoint without authentication.\u003c/li\u003e\n\u003cli\u003eThe vulnerable EPMM server processes the request without proper authentication checks.\u003c/li\u003e\n\u003cli\u003eThe server responds with a 200 OK status code, indicating successful access to the API endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the unauthorized API access to enumerate authorized users.\u003c/li\u003e\n\u003cli\u003eUsing enumerated user information, the attacker gains access to sensitive data and system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker may modify system configurations, install malicious software, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full system compromise and potentially pivots to other internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-35078 can have severe consequences, including unauthorized access to sensitive data, modification of system configurations, and potential installation of malware. This can lead to data breaches, financial losses, and reputational damage. While specific victim counts are unavailable in the provided source, the widespread use of Ivanti EPMM suggests a broad potential impact across various sectors. The ability to remotely access and control EPMM servers without authentication makes this a highly critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Ivanti EPMM CVE-2023-35078 API Access\u003c/code\u003e to your SIEM to detect unauthorized access attempts to the vulnerable API endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests to the \u003ccode\u003e/mifs/aad/api/v2/authorized/users?*\u003c/code\u003e endpoint with a 200 status code, as indicated by the IOC \u003ccode\u003e*/mifs/aad/api/v2/authorized/users?*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule or observed suspicious activity in web server logs promptly.\u003c/li\u003e\n\u003cli\u003eRefer to the Ivanti advisory (\u003ca href=\"https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US\"\u003ehttps://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US\u003c/a\u003e) for patching and mitigation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-ivanti-epmm-cve-2023-35078/","summary":"Exploitation of CVE-2023-35078 in Ivanti EPMM allows unauthenticated remote API access, potentially leading to data theft, unauthorized modifications, or further system compromise.","title":"Ivanti EPMM Unauthenticated API Access via CVE-2023-35078","url":"https://feed.craftedsignal.io/briefs/2024-01-ivanti-epmm-cve-2023-35078/"}],"language":"en","title":"CraftedSignal Threat Feed - Epmm","version":"https://jsonfeed.org/version/1.1"}