Ivanti patches second EPMM zero-day
Ivanti has kicked out an urgent patch for cve-2023-35081, a zero-day flaw in EPMM that is under active exploit in the wild
Ivanti has issued a patch to address a second critical zero-day vulnerability said to be under active attack.
The vendor said that for customers running Endpoint Mobile Manager, the Monday fix for CVE-2023-35081 is a 'critical' update that should be applied as soon as possible.
The update is the second such emergency patch from Ivanti in recent days and comes on the heels of reports that a pair of EPMM zero days were exploited for attacks on the Norwegian government.
On its surface, CVE-2023-35081 does not appear to be a critically serious vulnerability with a CVSS rating of 7.2. The path traversal flaw will allow a user to remotely create files without permission but exploitation requires logging in with a valid account.
Where this bug becomes particularly nasty, however, is when paired with the second recent EPMM zero-day. CVE-2023-35078, which was disclosed and patched last week, allows the remote attacker to bypass authentication controls.
By chaining the two bugs together, the attacker then gets the ability to remotely install code on a vulnerable EPMM installation without the need for any authentication credentials.
Such appears to have been the case with the recent attack on Norway, where government officials said that earlier in the month they had discovered a network breach affecting multiple ministry offices earlier this month.
The officials did not speculate on who might be behind the attack. Ivanti acknowledged that "the same limited number of customers" had been hit by the paired exploits.
Now the vendor is urging all of its customers to test and deploy the updates ASAP, a sentiment echoed by CISA. The US cybersecurity office is advising the government agencies to get both patches, noting "these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."
Administrators would also be well-advised to get the patches tested and installed well ahead of next Tuesday's Patch Tuesday security release from Microsoft and other enterprise vendors.
While zero-day exploits may dominate headlines, many enterprises will be just at risk from known vulnerabilities whose updates have slipped through the cracks. A 2021 report from CISA found that as many as 100 high-risk security flaws were commonly left unpatched by Federal agencies.