Ivanti Warns Critical EPM Bug Lets Hackers Hijack Enrolled Devices

Ivanti recently fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM). The flaw allows an unauthenticated attackers to hijack enrolled devices or the core server. The service helps manage client devices running a wide range of platforms from Windows and macOS to Chrome OS and other IoT operating systems.

The security flaw (tracked as CVE-2023-39336) impacts all supported Ivanti EPM versions, and it has been resolved in version 2022 Service Update 5. Attackers who have access to the target’s internal networks could exploit this flaw in low-complexity attacks that don’t require privilege or user interaction. "If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti says. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server."

Security Officer Comments:
The company says that have found no evidence that customers have been impacted by attackers exploiting this vulnerability in the wild. To help reduce the chance of threat actors exploiting this flaw, full details of CVE-2023-39336 have been withheld. This should allow customers with more time to secure their devices before threat actors can create exploits using the additional information.

Ivanti has had other zero-days exploited in the wild, so customers should patch this vulnerability as soon as possible. “In July, state-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti's Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to infiltrate the networks of multiple Norwegian government organizations” (Bleeping Computer, 2023). "Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability," CISA cautioned.

Suggested Corrections:
The flaw has been resolved in version 2022 Service Update 5. Users should update to this latest version as soon as possible. While attacks have not been reported in the wild, threat actors are likely looking to understand how to exploit this recently disclosed flaw.