July 28, 2023 By Sergiu Gatlan
Ivanti has fixed another vulnerability in the Endpoint Manager Mobile software (formerly MobileIron Core), exploited as a zero-day to breach the IT systems of a dozen ministries in Norway.
Ivanti released security patches for the path traversal flaw tracked as CVE-2023-35081 today and warned customers that it's "critical" to upgrade as soon as possible to secure vulnerable appliances against attacks.
"CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable)," Ivanti said.
"Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user.