CVE-2023-35082 Overview
CVE-2023-35082 is a critical authentication bypass vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) version 11.10 and older. This vulnerability allows unauthorized users to access restricted functionality or resources of the application without proper authentication. Notably, this vulnerability is distinct from CVE-2023-35078, which was announced earlier and affects similar Ivanti products.
The flaw enables remote unauthenticated attackers to access API endpoints that should require authentication, potentially leading to unauthorized data access, configuration changes, or further exploitation of managed mobile devices. Given the role of EPMM in enterprise mobile device management, successful exploitation could have severe consequences for organizational security.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Unauthenticated remote attackers can bypass authentication controls to access sensitive API endpoints and potentially compromise managed mobile device infrastructure.
Affected Products
- Ivanti Endpoint Manager Mobile (EPMM) version 11.10 and older
- MobileIron Core version 11.2 and older (legacy product name)
Discovery Timeline
- August 15, 2023 - CVE-2023-35082 published to NVD
- October 31, 2025 - Last updated in NVD database
Technical Details for CVE-2023-35082
Vulnerability Analysis
CVE-2023-35082 represents a serious authentication bypass vulnerability (CWE-287: Improper Authentication) in Ivanti's mobile device management platform. The vulnerability allows remote, unauthenticated attackers to access protected API endpoints that are intended to require valid authentication credentials.
This vulnerability is particularly dangerous because it affects the core security boundary of the EPMM platform. Mobile device management solutions like EPMM serve as centralized control points for enterprise mobile fleets, making them high-value targets. An attacker who successfully exploits this vulnerability could potentially enumerate managed devices, access sensitive configuration data, or leverage the compromised position to push malicious configurations to managed endpoints.
The attack requires no user interaction and can be executed remotely over the network, making it highly exploitable in internet-facing deployments. Organizations that expose their EPMM instances to the internet without additional network-layer protections are at elevated risk.
Root Cause
The root cause of CVE-2023-35082 lies in improper authentication controls within the Ivanti EPMM application. Specifically, certain API endpoints fail to properly validate that incoming requests originate from authenticated users before processing them. This authentication gap allows attackers to craft requests that bypass the normal authentication flow and directly access protected resources.
The vulnerability stems from insufficient enforcement of authentication checks on specific API routes, allowing unauthenticated HTTP requests to reach functionality that should only be accessible to authenticated administrators or users.
Attack Vector
The attack vector for CVE-2023-35082 is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to vulnerable EPMM instances.
The attack flow typically involves:
- Identifying an internet-exposed or network-accessible Ivanti EPMM instance running version 11.10 or older
- Crafting HTTP requests targeting specific API endpoints that lack proper authentication enforcement
- Submitting these requests directly to the target server
- Gaining unauthorized access to protected functionality and data
The vulnerability enables attackers to access remote unauthenticated API endpoints. Successful exploitation could allow attackers to retrieve sensitive information about managed devices, modify configurations, or potentially pivot to attack managed endpoints. For detailed technical information about the vulnerable API endpoints, refer to the Ivanti Security Advisory.
Detection Methods for CVE-2023-35082
Indicators of Compromise
- Unusual or unexpected API requests to EPMM servers from unknown IP addresses
- Authentication log entries showing successful API access without corresponding login events
- Anomalous access patterns to administrative API endpoints during non-business hours
- Network traffic to EPMM instances from known malicious IP addresses or threat actor infrastructure
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block suspicious API access patterns targeting EPMM instances
- Monitor EPMM access logs for unauthenticated requests to sensitive API endpoints
- Deploy network intrusion detection systems (IDS) with signatures for CVE-2023-35082 exploitation attempts
- Correlate EPMM access logs with authentication systems to identify API calls lacking valid authentication context
Monitoring Recommendations
- Enable verbose logging on EPMM instances and forward logs to a centralized SIEM solution
- Configure alerts for any API access attempts that bypass normal authentication workflows
- Monitor for reconnaissance activity targeting EPMM version endpoints or administrative interfaces
- Review CISA's KEV catalog alerts and integrate threat intelligence feeds that track active exploitation of this vulnerability
How to Mitigate CVE-2023-35082
Immediate Actions Required
- Upgrade Ivanti EPMM to version 11.11 or later immediately to address this vulnerability
- If immediate patching is not possible, restrict network access to EPMM instances using firewall rules to limit exposure
- Review access logs for any signs of unauthorized access or exploitation attempts
- Ensure EPMM instances are not directly exposed to the internet without VPN or other access controls
Patch Information
Ivanti has released security updates to address CVE-2023-35082. Organizations running EPMM version 11.10 or older, or MobileIron Core version 11.2 or older, should upgrade to a patched version immediately. Detailed patch information and upgrade instructions are available in the Ivanti Security Advisory.
Given that this vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, federal agencies and organizations following CISA guidance should prioritize remediation according to the specified deadlines. Consult the CISA KEV Catalog for specific remediation timelines.
Workarounds
- Implement network segmentation to isolate EPMM instances from untrusted networks
- Deploy a reverse proxy or WAF in front of EPMM to filter and validate incoming requests
- Restrict API access to known, trusted IP addresses using network-layer access control lists (ACLs)
- Enable additional monitoring and alerting on EPMM API endpoints until patching can be completed
# Example: Restrict EPMM access to internal networks only using iptables
# Adjust IP ranges according to your network architecture
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 172.16.0.0/12 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
