📄 Description (English)
Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability — Ivanti Endpoint Manager Mobile (EPMM, previously branded MobileIron Core) contains an authentication bypass vulnerability that allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. An attacker can also make other configuration changes including installing software and modifying security profiles on registered devices.
🤖 AI Executive Summary
CVE-2023-35078 is a critical authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, with a CVSS score of 9.0. Unauthenticated attackers can access sensitive API endpoints to exfiltrate personally identifiable information (PII) including names, phone numbers, and mobile device details. Beyond data theft, attackers can install malicious software and alter security profiles on managed mobile devices, effectively compromising the entire mobile device management (MDM) infrastructure. This vulnerability has a confirmed public exploit and has been actively exploited in the wild, including by nation-state actors, making immediate remediation essential.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 18, 2026 05:28
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations relying on Ivanti EPMM/MobileIron Core for mobile device management face severe risk across multiple critical sectors. Government entities under NCA oversight managing thousands of employee devices are at high risk of PII exfiltration and unauthorized configuration changes. Banking and financial institutions regulated by SAMA that use EPMM to manage mobile banking applications and employee devices could face regulatory breaches under SAMA CSF and PDPL (Personal Data Protection Law). Energy sector organizations including ARAMCO and NEOM project teams using MDM solutions for field operations face operational disruption. Telecom providers such as STC and Zain KSA managing large mobile fleets are particularly exposed. The Saudi PDPL (Personal Data Protection Law) mandates breach notification, making PII exfiltration a significant legal and reputational liability. Given Saudi Arabia's Vision 2030 digital transformation initiatives and widespread mobile workforce adoption, the attack surface is exceptionally broad.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Telecom
Healthcare
Defense
Education
Transportation
⚖️ Saudi Risk Score (AI)
9.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Isolate EPMM servers from public internet access immediately if patching cannot be completed within hours.
2. Apply Ivanti's emergency patch: upgrade to EPMM versions 11.10.0.2, 11.9.1.2, or 11.8.1.4 as applicable.
3. Review Ivanti's official security advisory at forums.ivanti.com for version-specific guidance.
4. Restrict access to EPMM API endpoints via firewall rules — block external access to /mifs/ and /api/v2/ paths.
PATCHING GUIDANCE:
5. Prioritize patching internet-facing EPMM instances first.
6. Apply Ivanti's RPM script patch if full version upgrade is not immediately feasible.
7. Verify patch integrity after application using Ivanti's provided checksums.
COMPENSATING CONTROLS (if patch unavailable):
8. Implement IP allowlisting to restrict API access to known administrative IP ranges only.
9. Deploy a WAF rule to block unauthenticated requests to vulnerable API paths.
10. Enable enhanced logging on EPMM servers and forward logs to SIEM immediately.
DETECTION RULES:
11. Monitor for anomalous GET/POST requests to /mifs/aad/api/v2/ and /api/v2/featurephone/mdm/device_data/ endpoints from unauthenticated sources.
12. Alert on bulk device data queries or unexpected configuration change API calls.
13. Search historical logs for exploitation indicators dating back 90 days.
14. Deploy YARA/Sigma rules for known exploit patterns associated with CVE-2023-35078.
15. Conduct forensic review of all registered devices for unauthorized profile installations.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. عزل خوادم EPMM عن الإنترنت العام فوراً إذا تعذّر تطبيق التصحيح خلال ساعات.
2. تطبيق التصحيح الطارئ من Ivanti: الترقية إلى الإصدارات 11.10.0.2 أو 11.9.1.2 أو 11.8.1.4 حسب الإصدار المستخدم.
3. مراجعة النشرة الأمنية الرسمية من Ivanti على forums.ivanti.com للحصول على إرشادات خاصة بكل إصدار.
4. تقييد الوصول إلى نقاط نهاية API الخاصة بـ EPMM عبر قواعد جدار الحماية — حظر الوصول الخارجي إلى مسارات /mifs/ و /api/v2/.
إرشادات التصحيح:
5. إعطاء الأولوية لتصحيح نسخ EPMM المكشوفة على الإنترنت أولاً.
6. تطبيق تصحيح RPM من Ivanti إذا تعذّرت الترقية الكاملة فوراً.
7. التحقق من سلامة التصحيح بعد تطبيقه باستخدام checksums المقدمة من Ivanti.
ضوابط تعويضية (في حال عدم توفر التصحيح):
8. تطبيق قائمة IP مسموح بها لتقييد الوصول إلى API على نطاقات IP الإدارية المعروفة فقط.
9. نشر قاعدة WAF لحظر الطلبات غير المصادق عليها إلى مسارات API المعرضة للخطر.
10. تفعيل التسجيل المعزز على خوادم EPMM وإرسال السجلات إلى SIEM فوراً.
قواعد الكشف:
11. مراقبة الطلبات الشاذة GET/POST إلى /mifs/aad/api/v2/ و /api/v2/featurephone/mdm/device_data/ من مصادر غير مصادق عليها.
12. التنبيه على استعلامات بيانات الأجهزة الجماعية أو استدعاءات API لتغيير التكوين غير المتوقعة.
13. البحث في السجلات التاريخية عن مؤشرات الاستغلال خلال الـ 90 يوماً الماضية.
14. نشر قواعد YARA/Sigma لأنماط الاستغلال المعروفة المرتبطة بـ CVE-2023-35078.
15. إجراء مراجعة جنائية لجميع الأجهزة المسجلة بحثاً عن ملفات تعريف مثبتة بشكل غير مصرح به.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Authentication and Access Control — authentication bypass directly violates access control requirements
ECC-2-3-1: Mobile Device Management security controls
ECC-1-3-2: Protection of sensitive and personal data (PII exfiltration)
ECC-2-6-1: Vulnerability and patch management — requires timely patching of critical vulnerabilities
ECC-1-7-1: Cybersecurity incident management and response
🔵 SAMA CSF
3.3.3 Access Control Management — authentication bypass violates access control domain
3.3.6 Mobile Device Security — direct impact on MDM infrastructure
3.4.2 Vulnerability Management — critical patch application requirements
3.3.9 Data Protection and Privacy — PII exfiltration risk
3.5.1 Cybersecurity Incident Management
🟡 ISO 27001:2022
A.8.3 Information Access Restriction — unauthenticated API access
A.8.5 Secure Authentication — authentication bypass
A.8.8 Management of Technical Vulnerabilities — patch management
A.5.34 Privacy and Protection of PII — personal data exposure
A.8.12 Data Leakage Prevention
A.6.7 Remote Working — mobile device security
🟣 PCI DSS v4.0
Requirement 6.3.3: All system components protected from known vulnerabilities by patching
Requirement 8.2: User identification and authentication — authentication bypass
Requirement 12.3.3: Hardware and software technologies reviewed for vulnerabilities
Requirement 7.2: Access control systems — unauthorized API access
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Ivanti:Endpoint Manager Mobile (EPMM)