Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2023-35081

CVE-2023-35081: Ivanti EPMM Path Traversal Vulnerability

CVE-2023-35081 is a path traversal vulnerability in Ivanti Endpoint Manager Mobile that allows authenticated administrators to write arbitrary files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2023-35081 Overview

CVE-2023-35081 is a path traversal vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), a mobile device management (MDM) solution widely used by enterprises to manage and secure mobile devices across their organizations. This vulnerability allows an authenticated administrator to write arbitrary files onto the appliance through path traversal techniques, potentially leading to complete system compromise.

Critical Impact

This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Authenticated administrators can leverage path traversal to write malicious files to arbitrary locations on the EPMM appliance, enabling potential remote code execution and persistent access.

Affected Products

  • Ivanti Endpoint Manager Mobile versions 11.10.x prior to 11.10.0.3
  • Ivanti Endpoint Manager Mobile versions 11.9.x prior to 11.9.1.2
  • Ivanti Endpoint Manager Mobile versions 11.8.x prior to 11.8.1.2

Discovery Timeline

  • 2023-08-03 - CVE-2023-35081 published to NVD
  • 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2023-35081

Vulnerability Analysis

CVE-2023-35081 is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The vulnerability exists in the file handling functionality of Ivanti EPMM, where user-supplied input containing directory traversal sequences (such as ../) is not properly sanitized before being used to construct file paths.

When an authenticated administrator interacts with certain file upload or configuration features, the application fails to adequately validate the destination path. This allows an attacker with administrative credentials to escape the intended directory structure and write files to arbitrary locations on the underlying file system.

The network-based attack vector combined with the requirement for high privileges (administrator access) creates a scenario where compromised administrator accounts or insider threats pose significant risks. Once exploited, an attacker can achieve full confidentiality, integrity, and availability impact on the target system.

Root Cause

The root cause of this vulnerability is inadequate input validation in the file path handling routines within Ivanti EPMM. Specifically, the application does not properly sanitize or canonicalize file paths provided by users, allowing directory traversal sequences to be processed. This enables authenticated administrators to specify paths that escape the intended upload directory and write files to sensitive system locations such as web roots, configuration directories, or binary execution paths.

Attack Vector

The attack is conducted over the network and requires authentication with administrative privileges. An attacker who has obtained or compromised administrator credentials can exploit this vulnerability by crafting requests that include path traversal sequences in file path parameters. By manipulating the destination path, the attacker can write malicious content such as web shells, configuration files, or executable scripts to locations that enable further exploitation.

The attack flow typically involves:

  1. Authenticating to the EPMM administrative interface with valid credentials
  2. Identifying file upload or configuration endpoints that accept file paths
  3. Injecting path traversal sequences (e.g., ../../) to escape the intended directory
  4. Writing malicious files such as web shells to achieve persistent remote access

Since this vulnerability is listed in the CISA KEV catalog, organizations should assume that threat actors are actively targeting vulnerable EPMM instances. The path traversal technique combined with arbitrary file write capability provides attackers with a reliable method to establish backdoors and maintain persistence within compromised environments.

Detection Methods for CVE-2023-35081

Indicators of Compromise

  • Unexpected files appearing in web-accessible directories or system paths on the EPMM appliance
  • Log entries showing file operations with path traversal sequences (../, ..\\)
  • Presence of unauthorized web shells or script files in /opt/ or web root directories
  • Anomalous administrator activity patterns, especially file uploads or configuration changes

Detection Strategies

  • Monitor EPMM application logs for file path parameters containing traversal patterns such as ../ or encoded variants
  • Deploy file integrity monitoring (FIM) on critical EPMM system directories to detect unauthorized file modifications
  • Review administrator account activity for unusual login locations, times, or behavioral patterns
  • Implement web application firewall (WAF) rules to detect and block path traversal attempts in HTTP requests

Monitoring Recommendations

  • Enable comprehensive audit logging on the EPMM appliance and centralize logs to a SIEM solution
  • Configure alerts for any file write operations outside designated upload directories
  • Monitor network traffic to/from EPMM for signs of command-and-control communication or data exfiltration
  • Regularly review administrator account inventory and remove unnecessary privileged access

How to Mitigate CVE-2023-35081

Immediate Actions Required

  • Upgrade Ivanti Endpoint Manager Mobile to patched versions: 11.10.0.3, 11.9.1.2, or 11.8.1.2 or later immediately
  • Review all administrator accounts and revoke unnecessary privileges; enforce multi-factor authentication (MFA)
  • Conduct a forensic review of EPMM appliances to identify potential compromise indicators
  • Isolate vulnerable EPMM instances from untrusted networks until patching is complete

Patch Information

Ivanti has released security updates to address this vulnerability. Organizations should update to the following fixed versions:

  • Version 11.10.0.3 or later for the 11.10.x branch
  • Version 11.9.1.2 or later for the 11.9.x branch
  • Version 11.8.1.2 or later for the 11.8.x branch

For detailed patching instructions and additional security guidance, refer to the Ivanti CVE-2023-35081 Advisory. Given this vulnerability's inclusion in the CISA Known Exploited Vulnerabilities Catalog, federal agencies and critical infrastructure organizations are required to remediate according to binding operational directives.

Workarounds

  • Restrict administrative access to EPMM through network segmentation, allowing connections only from trusted management networks
  • Implement strict access controls and require MFA for all administrative accounts
  • Deploy a web application firewall (WAF) configured to detect and block path traversal patterns in requests
  • Enable enhanced logging and monitoring while awaiting patch deployment to detect exploitation attempts
bash
# Example: Restrict administrative interface access via firewall rules
# Allow only trusted management subnet to access EPMM admin ports
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.