Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Ivanti EPMM Remote Unauthenticated API Access Authentication Bypass

IdentifiersCVE-2023-35082CWE-288

CVE-2023-35082 is a critical authentication bypass / unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. It affects Ivanti EPMM 11.8, 11.9, and 11.10, and MobileIron Core 11.7 and below. Ivanti reported that additional exploitation paths exist depending on appliance configuration. The flaw allows a remote unauthenticated actor to access restricted API functionality without proper authentication, including access via the URI path /mifs/asfV3/api/v2/. Public reporting describes it as distinct from, but related to, CVE-2023-35078. Successful exploitation can expose operations documented in the product API and permit unauthorized interaction with protected application resources. Multiple sources also note that the issue is exploitable over HTTP and not HTTPS.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an internet-facing unauthenticated attacker to access sensitive data, including users’ personally identifiable information (PII), and to make limited modifications to the EPMM/MobileIron Core platform. The vulnerability has been reported as actively exploited in the wild and added to CISA’s Known Exploited Vulnerabilities catalog. When chained with another flaw such as CVE-2023-35081, the impact can escalate to arbitrary file write, web shell deployment, backdooring of the server, and potential OS command execution.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, Ivanti recommended network-level mitigation by blocking all internet-exposed ports except 443, 9997, and 8883, because exploitation was reported as possible only over HTTP and not HTTPS. Administrators may need to whitelist required external service IPs, such as Microsoft 365 or ActiveSync, to reduce operational impact. Additional defensive measures supported by the content include monitoring web access logs for requests to /mifs/asfV3/api/v2/ returning HTTP 200, reviewing compromise indicators published by Rapid7, and restricting exposure of EPMM interfaces to trusted networks where feasible.

Remediation

Patch, then assume compromise.

Upgrade affected systems to a supported fixed release and apply Ivanti’s vendor-provided remediation. The content states Ivanti recommended upgrading first to supported releases 11.8.1.2, 11.9.1.2, or 11.10.0.3 and then applying the RPM script released for CVE-2023-35082. Ivanti later stated the issue was patched in version 11.11.0.0. The RPM script should be run on all servers in the deployment, including primary, secondary, and tertiary nodes. Unsupported versions earlier than 11.8 should be upgraded to a supported version; the script was reported effective on 11.7 and installable on 11.3 and above, but versions prior to 11.3 are not effectively remediated by the script and may become unstable.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
IvantiEndpoint Manager Mobileapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
cyber security newsNews
Jun 19, 2026
INC Ransomware Uses Rust-Based Windows and Linux/ESXi Encryptors in New Attacks

A vulnerability in SimpleHelp RMM that the content says was used for initial access in INC ransomware intrusions.

Read more
cyber security newsNews
May 7, 2026
New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks

A previously exploited zero-day vulnerability in Ivanti EPMM that was part of 2023 attack campaigns, with some attacks attributed in the article to Chinese state-sponsored threat groups.

Read more
darkwebinformerNews
May 7, 2026
Ivanti Warns of New EPMM Zero-Day Exploited Using Credentials Stolen in January Attacks

An Ivanti EPMM vulnerability exploited in 2023 to breach government agencies worldwide. It is significant in the content as historical context showing repeated exploitation of EPMM.

Read more
cyberthroneNews
Mar 10, 2026
CISA KEV Catalog Update - March 9 2026 - TheCyberThrone

A vulnerability referenced only as a related/linked item with no details provided in the content.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-35082
NVD
nvd.nist.gov/vuln/detail/CVE-2023-35082
MITRE CWE · CWE-288
cwe.mitre.org
Vendor Advisory
forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-35082