Rapid7 finds new vulnerability in previously abused Ivanti tool MobileIron

Ivanti has recognized a new serious authentication bypass vulnerability in MobileIron Core. That software recently turned out to be leaky, causing Norwegian ministries to be hacked. Now a new bug has been found, but there will be no patch for it because it affects old versions.

The vulnerability is tracked as CVE-2023-35082. It was discovered by security researchers from Rapid7 when they investigated the previous MobileIron leak. Rapid7 provides few details about the bug. The only thing known about this is that it is an authentication bypass that can be used from a distance. In a separate blog post Ivanti says that this is possible to do remotely, on machines that are publicly accessible from the Internet.

Ivanti says it won’t fix the vulnerability because it doesn’t need to. The bug, which gets a CVSS score of 10, is in version 11.2 and lower of MobileIron Core. That version has not received any updates since March 15 last year. Instead, a new version of the software is available, which was renamed Ivanti Endpoint Manager Mobile last year. Therein lies the vulnerability.

It is the second time in a short time that a vulnerability has been found in MobileIron Core, a tool that can be used to manage phones. The last time that happened was at the end of July in a high-profile case. Then the Norwegian government acknowledged that it had been hacked via a bug in MobileIron. That bug was a zero-day for which there is now a patch. It is not yet known whether this new vulnerability has been exploited before. It is this bug that Rapid7 investigated when it found the new bug.

Update: The lead initially stated that a patch is available, but that is not the case because it is an old version.