Ivanti Sentry Authentication Bypass Vulnerability
Summary
| CVE | CVE-2023-38035 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-08-21 17:15:00 UTC |
| Updated | 2023-09-13 18:15:00 UTC |
| Description | A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration. |
Risk And Classification
EPSS: 0.944190000 probability, percentile 0.999790000 (date 2026-04-21)
CISA KEV: Listed on 2023-08-22; due 2023-09-12; ransomware use Known
Problem Types: CWE-863
CISA Known Exploited Vulnerability
| Vendor | Ivanti |
|---|---|
| Product | Sentry |
| Name | Ivanti Sentry Authentication Bypass Vulnerability |
| Required Action | Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. |
| Notes | https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2023-38035 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Ivanti | Mobileiron Sentry | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Ivanti Community | MISC | forums.ivanti.com | |
| Ivanti Sentry Authentication Bypass / Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 730875 Ivanti Sentry Authentication Bypass Vulnerability (Zero Day)