On July 24, 2023, the Norwegian National Security Authority (NSM) confirmed that twelve Norwegian government ministries had been compromised through a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The vulnerability, CVE-2023-35078, received the maximum CVSS score of 10.0—and it earned every decimal.
The Vulnerability
CVE-2023-35078 is an authentication bypass vulnerability in Ivanti EPMM. An unauthenticated attacker can access the API endpoint and perform administrative actions, including creating new admin accounts, changing configurations, and accessing personally identifiable information (PII) of managed mobile devices and their users.
The flaw is in the API authentication logic. Specific API paths could be accessed without any authentication, giving an attacker full administrative control over the MDM platform. The exploit is trivial—a single HTTP request to the right endpoint.
Ivanti initially tried to keep the vulnerability details restricted, distributing patches through a non-public advisory. This approach backfired when details leaked and security researchers began publishing analyses of the patch diff, revealing the vulnerability to anyone paying attention.
The Norwegian Government Breach
Norway's Security and Service Organization (DSS), which provides IT services to government ministries, discovered the breach after detecting unusual traffic patterns on its EPMM infrastructure. The Norwegian National Cyber Security Centre (NCSC-NO) was called in to investigate.
The attackers exploited CVE-2023-35078 to access the EPMM platform managing mobile devices for twelve government ministries. From there, they were able to:
- Access email accounts and contacts of government employees
- Extract device configurations and network information
- Potentially access documents and communications on managed devices
The Norwegian government confirmed that the Prime Minister's office and the Ministry of Defence were not affected, as they use a separate IT infrastructure. However, twelve other ministries were compromised.
A Second Vulnerability: CVE-2023-35081
As if CVE-2023-35078 wasn't bad enough, investigators discovered a second vulnerability while analyzing the attacks. CVE-2023-35081 is a path traversal vulnerability that allows an authenticated attacker (which CVE-2023-35078 handily provides) to write arbitrary files to the EPMM server.
The two vulnerabilities were chained together: CVE-2023-35078 provided unauthenticated administrative access, and CVE-2023-35081 was used to deploy web shells for persistent access. This chaining meant that patching CVE-2023-35078 alone was insufficient if the attacker had already leveraged CVE-2023-35081.
CISA issued an advisory on August 1 covering both vulnerabilities and their use in chained exploitation.
Attribution and Scope
While Norway did not publicly attribute the attack to a specific nation-state, the sophistication of the operation and the targeting of government infrastructure pointed to a state-sponsored actor. The attack bore hallmarks of advanced persistent threat (APT) operations: zero-day exploitation, precise targeting, and operational patience.
Beyond Norway, the vulnerability affected Ivanti EPMM deployments globally. Shodan scans revealed thousands of internet-exposed EPMM instances, many running vulnerable versions. Government agencies and enterprises worldwide scrambled to patch.
CISA added CVE-2023-35078 to the Known Exploited Vulnerabilities catalog on July 25, 2023, giving federal agencies a deadline to patch or mitigate.
MDM Platforms as High-Value Targets
Mobile Device Management platforms are uniquely dangerous when compromised. An MDM platform has:
- Administrative control over every managed device. This includes the ability to push configurations, install apps, and wipe devices.
- Access to user credentials and certificates. MDM platforms often distribute Wi-Fi, VPN, and email credentials to managed devices.
- Visibility into user communications. Depending on the configuration, MDM can access email, contacts, and calendar data.
- Network access information. MDM platforms know which networks devices connect to and can reveal internal network architecture.
Compromising an MDM platform is essentially a skeleton key to an organization's mobile fleet. For government agencies managing devices that handle classified or sensitive communications, this is a worst-case scenario.
Lessons for Organizations
Minimize internet exposure of management platforms. MDM platforms need internet connectivity to manage remote devices, but access to administrative interfaces should be restricted to known IP ranges or placed behind VPN.
Patch MDM platforms with the same urgency as firewalls. MDM platforms are as critical as network edge devices. They should be patched within hours of a critical vulnerability disclosure, not days or weeks.
Monitor MDM platforms for anomalous administrative actions. New admin account creation, bulk configuration changes, and unusual API access patterns should trigger alerts.
Plan for MDM compromise in your incident response playbook. If your MDM is compromised, you need a plan for revoking credentials, re-enrolling devices, and assessing data exposure across your entire mobile fleet.
How Safeguard.sh Helps
Safeguard.sh provides comprehensive vulnerability tracking for infrastructure components including mobile device management platforms. Our platform monitors vendor security bulletins, CISA KEV updates, and threat intelligence feeds to alert you the moment a critical vulnerability like CVE-2023-35078 is disclosed for software in your environment. Safeguard.sh's SBOM capabilities extend beyond code dependencies to include your management infrastructure, ensuring that high-value targets like MDM platforms receive the security attention they demand.