Critical Zero-Day Vulnerability in Ivanti Endpoint Manager (MobileIron Core) Uncovered

In a press conference held on Monday, July 24, 2023, the Norwegian National Security Authority (Nasjonal sikkerhetsmyndighet) and the Ministry of Defense’s Security and Service Organization (Departementenes sikkerhets- og serviceorganisasjon, DSS) jointly announced the discovery of a zero-day vulnerability that was exploited in a cyberattack against DSS.

While managing the incident at DSS, the National Security Authority’s Cybersecurity Center (Nasjonalt cybersikkerhetssenter, NCSC) had an ongoing dialogue with the software provider and other collaborators to address the vulnerability within DSS’s systems. Simultaneously, a series of measures were taken to minimize the risk of the vulnerability being exploited elsewhere in Norway and globally.

The software update developed by the provider successfully patched the vulnerability in DSS’s systems. However, due to security reasons, NSM refrained from disclosing the name of the specific software exploited at the time of the press conference.

This vulnerability was unique and was identified for the first time in Norway. Early disclosure of this information could have led to its exploitation in other parts of Norway and the world. Now that the update is widely available, it is appropriate to announce the nature of the vulnerability, said Sofie Nystrøm, Director of the Norwegian National Security Authority.

The National Cyber Security Center (NCSC) at NSM issued a notice regarding the vulnerability. They informed about an actively exploited zero-day vulnerability, identified as CVE-2023-35078, in the product Ivanti Endpoint Manager (EPMM), previously known as MobileIron Core. This vulnerability impacts several versions of the software.

NCSC has alerted all known system owners in Norway who have MobileIron Core accessible on the internet about the available security update. NCSC strongly recommends immediate installation of these security updates.

For more information, interested parties can refer to the manufacturer’s website.

A zero-day vulnerability presents a threat actor with an opportunity to exploit a vulnerability that neither the manufacturer nor the users are aware of. Protecting against such vulnerabilities is challenging.

Since the discovery of the vulnerability, NSM has been collaborating to inform other Norwegian organizations using the same software. Furthermore, there has been an ongoing dialogue with the software manufacturer and other national and international partners.