CVE-2023-35078

An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
hackeroneCNA
10 CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
ivantiendpoint_manager_mobile
11.10.0.2 <
𝑥
< 11.10.0.2
ivantiendpoint_manager_mobile
11.9.1.1 <
𝑥
< 11.9.1.1
ivantiendpoint_manager_mobile
11.8.1.1 <
𝑥
< 11.8.1.1
ivantiendpoint_manager_mobile
𝑥
≤ 11.8.1.0
ivantiendpoint_manager_mobile
𝑥
< 11.8.1.1
ivantiendpoint_manager_mobile
11.9.0 ≤
𝑥
< 11.9.1.1
ivantiendpoint_manager_mobile
11.10 ≤
𝑥
< 11.10.0.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability
https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078
https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078
https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability
https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability
https://forums.ivanti.com/s/article/KB-Remote-unauthenticated-API-access-vulnerability-CVE-2023-35078
https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-security-updates-endpoint-manager-mobile-epmm-cve-2023-35078
https://www.ivanti.com/blog/cve-2023-35078-new-ivanti-epmm-vulnerability