📄 Description (English)
Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability — Ivanti Endpoint Manager Mobile (EPMM) contains a path traversal vulnerability that enables an authenticated administrator to perform malicious file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078 to bypass authentication and ACLs restrictions (if applicable).
🤖 AI Executive Summary
CVE-2023-35081 is a critical path traversal vulnerability in Ivanti Endpoint Manager Mobile (EPMM) with a CVSS score of 9.0, allowing authenticated administrators to write arbitrary malicious files to the EPMM server. When chained with CVE-2023-35078 (an authentication bypass vulnerability), this flaw can be exploited by unauthenticated attackers to achieve remote code execution, effectively bypassing all authentication and ACL restrictions. Active exploits are confirmed in the wild, making this a high-urgency threat requiring immediate remediation. Organizations relying on EPMM for mobile device management face significant risk of full server compromise and lateral movement into enterprise networks.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 18, 2026 05:27
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations across government, banking, and critical infrastructure sectors that deploy Ivanti EPMM for enterprise mobile device management (MDM) are at severe risk. Government entities under NCA oversight and SAMA-regulated financial institutions (banks, insurance companies) using EPMM to manage employee mobile devices could face complete MDM infrastructure compromise, enabling attackers to push malicious profiles to thousands of managed devices. Saudi Aramco, SABIC, and energy sector organizations using EPMM for operational technology (OT) adjacent mobile management face risks of lateral movement into sensitive networks. Telecom operators such as STC and Zain KSA managing large mobile fleets via EPMM are also highly exposed. The chained exploit with CVE-2023-35078 means even internet-facing EPMM instances without prior authentication are vulnerable, which is particularly dangerous for organizations with remote workforce MDM deployments common in post-Vision 2030 digital transformation initiatives.
🏢 Affected Saudi Sectors
Government
Banking & Financial Services
Energy & Oil/Gas
Telecommunications
Healthcare
Defense & National Security
Education
Retail & Commerce
⚖️ Saudi Risk Score (AI)
9.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (within 24 hours):
1. Apply Ivanti's official patch immediately — upgrade EPMM to versions 11.10.0.2, 11.9.1.2, or 11.8.1.4 or later as released by Ivanti.
2. If patching is not immediately possible, restrict access to the EPMM admin portal to trusted IP ranges only via firewall rules.
3. Audit all administrator accounts on EPMM for unauthorized additions or privilege escalations.
4. Review EPMM server file system for unexpected or recently modified files, especially in web-accessible directories.
5. Check for indicators of chained exploitation with CVE-2023-35078 — review authentication logs for anomalous API access patterns.
PATCHING GUIDANCE:
- Prioritize patching CVE-2023-35078 simultaneously as both vulnerabilities are exploited in tandem.
- Follow Ivanti's security advisory KB article for version-specific upgrade paths.
- Test patches in staging before production deployment but do not delay beyond 48-72 hours given active exploitation.
COMPENSATING CONTROLS (if patch unavailable):
- Place EPMM behind a VPN or Zero Trust Network Access (ZTNA) gateway — do not expose admin interfaces to the internet.
- Enable Web Application Firewall (WAF) rules to block path traversal patterns (e.g., ../, %2e%2e, encoded variants).
- Implement strict role-based access control and MFA for all EPMM administrator accounts.
- Disable unnecessary API endpoints on EPMM if supported by configuration.
DETECTION RULES:
- Monitor for HTTP requests containing path traversal sequences (../, %2f, %2e) targeting EPMM endpoints.
- Alert on unexpected file creation or modification events on the EPMM server (use FIM — File Integrity Monitoring).
- Correlate EPMM authentication logs with CVE-2023-35078 indicators: unauthenticated access to /mifs/aad/api/v2/ or similar endpoints.
- Deploy YARA/Sigma rules for known EPMM exploit payloads available from threat intelligence feeds.
- Monitor for outbound connections from the EPMM server to unknown external IPs (potential C2 activity post-exploitation).
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (خلال 24 ساعة):
1. تطبيق التصحيح الرسمي من Ivanti فوراً — الترقية إلى الإصدارات 11.10.0.2 أو 11.9.1.2 أو 11.8.1.4 أو أحدث.
2. في حال تعذّر التصحيح الفوري، تقييد الوصول إلى بوابة إدارة EPMM على نطاقات IP موثوقة فقط عبر قواعد جدار الحماية.
3. مراجعة جميع حسابات المسؤولين على EPMM للكشف عن أي إضافات غير مصرح بها أو رفع للصلاحيات.
4. فحص نظام ملفات خادم EPMM بحثاً عن ملفات غير متوقعة أو معدّلة حديثاً، خاصة في المجلدات المتاحة عبر الويب.
5. التحقق من مؤشرات الاستغلال المتسلسل مع CVE-2023-35078 — مراجعة سجلات المصادقة للكشف عن أنماط وصول غير طبيعية لواجهة API.
إرشادات التصحيح:
- إعطاء الأولوية لتصحيح CVE-2023-35078 في آنٍ واحد نظراً لاستغلال الثغرتين معاً.
- اتباع المقالة الإرشادية الأمنية من Ivanti لمسارات الترقية الخاصة بكل إصدار.
- اختبار التصحيحات في بيئة التجهيز قبل النشر الإنتاجي مع عدم التأخر أكثر من 48-72 ساعة.
ضوابط التعويض (في حال عدم توفر التصحيح):
- وضع EPMM خلف VPN أو بوابة Zero Trust Network Access (ZTNA) وعدم كشف واجهات الإدارة على الإنترنت.
- تفعيل قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط اجتياز المسار.
- تطبيق التحكم في الوصول المستند إلى الأدوار والمصادقة متعددة العوامل لجميع حسابات مسؤولي EPMM.
- تعطيل نقاط نهاية API غير الضرورية على EPMM إن أتاح ذلك الإعداد.
قواعد الكشف:
- مراقبة طلبات HTTP التي تحتوي على تسلسلات اجتياز المسار الموجهة لنقاط نهاية EPMM.
- التنبيه على أحداث إنشاء أو تعديل الملفات غير المتوقعة على خادم EPMM باستخدام مراقبة سلامة الملفات (FIM).
- ربط سجلات مصادقة EPMM بمؤشرات CVE-2023-35078.
- نشر قواعد YARA/Sigma لحمولات استغلال EPMM المعروفة.
- مراقبة الاتصالات الصادرة من خادم EPMM إلى عناوين IP خارجية مجهولة.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1-4-2: Cybersecurity Vulnerability Management — immediate patching of critical vulnerabilities
ECC-2-3-1: Access Control — restricting administrative access to critical systems
ECC-2-5-1: Secure Configuration Management — hardening MDM infrastructure
ECC-2-6-1: Cybersecurity Event Logging and Monitoring — detection of exploitation attempts
ECC-3-3-3: Mobile Device Management security controls
🔵 SAMA CSF
3.3.6 Vulnerability Management — critical patch application within defined SLA
3.3.2 Access Control Management — MFA and privileged access controls for MDM systems
3.3.9 Cyber Incident Management — response to active exploitation
3.3.7 Change Management — emergency patching procedures
3.4.1 Third-Party and Cloud Security — vendor patch monitoring for critical infrastructure
🟡 ISO 27001:2022
A.8.8 Management of technical vulnerabilities — timely patching of critical CVEs
A.8.2 Privileged access rights — restricting and auditing admin accounts on EPMM
A.8.15 Logging — monitoring EPMM access and file system changes
A.8.22 Filtering of web services — WAF controls for path traversal
A.5.30 ICT readiness for business continuity — MDM availability during incident response
🟣 PCI DSS v4.0
Requirement 6.3.3 — All system components protected from known vulnerabilities via patching
Requirement 7.2 — Access control systems for systems managing payment-adjacent mobile devices
Requirement 10.2 — Audit log implementation for MDM administrative actions
Requirement 12.3.2 — Targeted risk analysis for critical MDM infrastructure
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Ivanti:Endpoint Manager Mobile (EPMM)