Ivanti warns of second vulnerability used in attacks on Norway gov’t

A second vulnerability affecting mobile endpoint management software from IT giant Ivanti has been discovered, according to a new advisory from the company.

Ivanti released an advisory on Friday afternoon about CVE-2023-35081 – a zero-day vulnerability that is different from the one hackers used to compromise a dozen Norwegian government agencies on Monday.

“A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. This vulnerability is different from CVE-2023-35078, released on July 23,” the company said.

“As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.”

The advisory says the vulnerability allows a threat actor to take a variety of actions on a victim device and can be used in conjunction with the first bug to bypass administrator authentication.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published its own warning about the advisory, urging customers of the company to immediately patch their devices due to the exploitation of both vulnerabilities.

CISA added CVE-2023-35078 to its Known Exploited Vulnerabilities catalog on Tuesday following confirmation by Norway’s government that it was used in the attacks on several agencies.

“This vulnerability was unique, and was discovered for the very first time here in Norway,” said Sofie Nystrøm, director of Norway’s National Security Agency. “If we had released the information about the vulnerability too early, it could have contributed to it being misused elsewhere in Norway and in the rest of the world.”

EPMM is used widely across multiple governments including in the U.S and a search on the security platform Shodan showed dozens of agencies in the U.S. and Europe potentially exposed to the issue among thousands of other potential victims.

According to CISA, the vulnerability could allow hackers to remotely access victims’ personally identifiable information, such as names, phone numbers, and other mobile device details.

An attacker can also make other configuration changes, including creating an administrative account that can make further changes to a vulnerable system, CISA said Monday in a security alert.