Ivanti urges customers to apply patch for exploited MobileIron vulnerability

The IT giant Ivanti is urging customers to apply a patch for a vulnerability in a product used by dozens of governments around the world.

An Ivanti spokesperson told Recorded Future News that it recently became aware of a vulnerability impacting its Endpoint Manager Mobile customers. The product was formerly called MobileIron Core before it was purchased by Ivanti in 2020.

Concerns about the vulnerability, tracked as CVE-2023-35078, grew after several cybersecurity experts warned that the zero day was being exploited. The issue affects versions 11.10, 11.9 and 11.8, as well as older end-of-life installations of the program. Patches have been released for 11.8.1.1, 11.9.1.1 and 11.10.0.2.

“We immediately developed and released a patch and are actively engaging with customers to help them apply the fix. Our customers’ security is our top priority,” Ivanti said, arguing that it is “practicing responsible disclosure protocols.”

The company did not respond to several questions about the issue and the remediation process, which has drawn criticism for being confusing after they initially took down a public advisory about the issue. The company has declined to publish a public advisory for the issue, instead putting it behind a paywall.

While the company did not say publicly if the bug has been exploited, in the private advisory only available to Ivanti customers it said it has been used in attacks on customers.

Endpoint Manager Mobile is used widely among governments across the world, and a search on the security platform Shodan showed dozens of agencies in the U.S. and Europe potentially exposed to the issue.

The issue was first reported by the German news outlet Heise and BleepingComputer.