Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability

Summary

CVE	CVE-2023-35082
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-08-15 16:15:00 UTC
Updated	2023-08-22 02:16:00 UTC
Description	An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier.

Risk And Classification

EPSS: 0.944020000 probability, percentile 0.999750000 (date 2026-04-21)

CISA KEV: Listed on 2024-01-18; due 2024-02-08; ransomware use Known

Problem Types: CWE-287

CISA Known Exploited Vulnerability

Vendor	Ivanti
Product	Endpoint Manager Mobile (EPMM) and MobileIron Core
Name	Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability
Required Action	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes	https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older; https://nvd.nist.gov/vuln/detail/CVE-2023-35082

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Ivanti	Endpoint Manager Mobile	All	All	All	All

References

Reference	Source	Link	Tags
Ivanti Community	MISC	forums.ivanti.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

730864 Ivanti Endpoint Manager Mobile (EPMM) Remote Unauthenticated API Access Vulnerability (CVE-2023-35082)