External risk intelligence

Ivanti EPMM Arbitrary File Write Vulnerability

CVE advisoryKnown Exploit

CVE-2023-35081

An authenticated administrator can write arbitrary files to the Ivanti EPMM appliance via a path traversal vulnerability. This could impact system integrity and data confidentiality for affected organizations.

4Halo Surface Signal

Path Traversal

Ivanti Endpoint Manager Mobile

11.8.0 to before 11.8.1.211.9.0 to before 11.9.1.211.10.0 to before 11.10.0.3

External exposure likelihood

Halo Surface Signal score for CVE-2023-35081

The product is Ivanti Endpoint Manager Mobile (EPMM), an appliance designed for managing mobile devices across an organization. Such appliances typically serve as internet-facing management gateways or portals to allow remote administration and communication with mobile devices, making them commonly reachable from the internet in standard deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

A path traversal vulnerability has been identified in Ivanti EPMM. This flaw allows an authenticated administrator to write arbitrary files to the appliance. The potential impact includes unauthorized modification of system files, leading to compromised system integrity and potential data breaches.

Vulnerable Ivanti EPMM component
Flaw permits arbitrary file writing
Business risk to data and systems

Attack Path

How an attacker could exploit the issue

This vulnerability allows an authenticated administrator to write arbitrary files to the appliance. The attack vector begins with an administrator's access to the system. This access is then leveraged to exploit a path traversal flaw, enabling the attacker to place files anywhere on the appliance.

Exposure condition: Authenticated administrator access.
Attacker starting point: System administrator account.
Trigger and result: Path traversal leads to arbitrary file write.

Live Threat

Current exploitation, exposure, and threat context

A path traversal vulnerability exists in Ivanti EPMM, allowing authenticated administrators to write arbitrary files to the appliance. This could lead to significant business risk if exploited, potentially impacting system integrity and data confidentiality. Organizations are advised to treat this vulnerability with urgency.

Likely attacker skill level: High.
Required access or conditions: Authenticated administrator access.
Business risk or urgency: High impact, urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows authenticated administrators to write arbitrary files to the appliance. This could enable unauthorized actions and impact system integrity. Organizations should focus on identifying and securing all instances of the affected Ivanti EPMM product to mitigate potential business risks.

Find affected assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What are the affected versions of Ivanti EPMM by the path traversal vulnerability CVE-2023-35081?

The vulnerability CVE-2023-35081 affects Ivanti EPMM versions 11.8.x prior to 11.8.1.2, 11.9.x prior to 11.9.1.2, and 11.10.x prior to 11.10.0.3.

How does the path traversal vulnerability in Ivanti EPMM (CVE-2023-35081) function, and what weakness class does it fall under?

This path traversal vulnerability, classified as CWE-22, allows an authenticated administrator to write arbitrary files onto the Ivanti EPMM appliance. The attacker leverages their administrative access to exploit the flaw, enabling them to place files in unintended locations on the system.

What is the trigger path and scope of the vulnerability in Ivanti EPMM?

The vulnerability is triggered when an authenticated administrator performs actions that allow file writing on the appliance. The scope is confined to the appliance itself, as the authenticated administrator can write arbitrary files onto it.

What is the relevance of CVE-2023-35081, and why is it a concern for organizations using Ivanti EPMM?

CVE-2023-35081 is highly relevant because it allows an authenticated administrator to write arbitrary files onto the Ivanti EPMM appliance. This could lead to a significant compromise of system integrity and potential data breaches, posing a high business risk.

What are the recommended practical responses for organizations after discovering the Ivanti EPMM vulnerability?

Organizations should prioritize identifying all instances of the affected Ivanti EPMM product. The next steps involve reducing exposure or isolating the risk, applying necessary fixes, verifying the remediation, and continuously monitoring for any signs of compromise.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.