📄 Description (English)
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability — Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or resources of the application.
🤖 AI Executive Summary
CVE-2023-35082 is a critical authentication bypass vulnerability (CVSS 9.0) affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core, widely deployed Mobile Device Management (MDM) platforms. The flaw allows unauthenticated remote attackers to access restricted API endpoints and sensitive resources without valid credentials. Active exploitation has been confirmed in the wild, with threat actors leveraging this vulnerability to extract user data, device information, and potentially pivot into enterprise networks. Immediate patching is essential as MDM platforms represent high-value targets providing broad access to managed mobile endpoints across organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 18, 2026 02:20
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations face elevated risk given the widespread adoption of Ivanti/MobileIron MDM solutions across critical sectors. Government entities under NCA oversight managing thousands of mobile endpoints are at high risk of sensitive data exfiltration. Banking and financial institutions regulated by SAMA that rely on MDM for securing employee and customer-facing mobile devices could face regulatory breaches and data exposure. Saudi Aramco, NEOM, and energy sector organizations using MDM to manage operational technology-adjacent mobile devices face potential lateral movement risks. Telecom operators (STC, Mobily, Zain) managing large mobile fleets are also exposed. The authentication bypass could allow attackers to enumerate all managed devices, extract PII, corporate credentials, and MDM configuration profiles — effectively compromising the entire mobile security posture of an organization. Given Saudi Arabia's Vision 2030 digital transformation initiatives driving increased mobile device adoption, the attack surface is significantly expanded.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Telecom
Healthcare
Defense
Education
Transportation
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS (0-24 hours):
1. Identify all instances of Ivanti EPMM and MobileIron Core in your environment using asset inventory tools.
2. Isolate internet-facing EPMM/MobileIron Core instances behind VPN or restrict external access immediately.
3. Block unauthenticated access to the /mifs/aad/api/v2/ and related API endpoints at the WAF/perimeter firewall level.
4. Review access logs for anomalous API calls, especially unauthenticated requests to restricted endpoints — look for HTTP 200 responses to API paths without valid session tokens.
PATCHING GUIDANCE:
5. Apply Ivanti's official patches immediately: EPMM versions 11.10, 11.9, and 11.8 have patches available — upgrade to the latest supported version.
6. For MobileIron Core, apply the vendor-provided hotfix as per Ivanti Security Advisory SA-2023-0016.
7. Verify patch integrity using vendor-provided checksums before deployment.
COMPENSATING CONTROLS (if patching is delayed):
8. Implement IP allowlisting to restrict EPMM admin portal access to known management IP ranges only.
9. Deploy a Web Application Firewall (WAF) rule to block requests matching the vulnerable API path patterns.
10. Enable multi-factor authentication on all administrative accounts.
11. Disable unnecessary API endpoints via the admin console.
DETECTION RULES:
12. SIEM Rule: Alert on HTTP 200 responses to /mifs/aad/api/v2/* without a valid Authorization header.
13. Monitor for bulk device enumeration requests (>50 API calls per minute from a single IP).
14. Check for new admin account creation or configuration changes post-exploitation.
15. Deploy Ivanti's provided IOC list and integrate with threat intelligence feeds.
16. Conduct forensic review of EPMM logs for the past 90 days to identify potential prior exploitation.
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية (0-24 ساعة):
1. تحديد جميع نسخ Ivanti EPMM وMobileIron Core في بيئتك باستخدام أدوات جرد الأصول.
2. عزل نسخ EPMM/MobileIron Core المكشوفة على الإنترنت خلف VPN أو تقييد الوصول الخارجي فوراً.
3. حجب الوصول غير المصادق عليه إلى مسارات /mifs/aad/api/v2/ والمسارات ذات الصلة على مستوى WAF أو جدار الحماية.
4. مراجعة سجلات الوصول للكشف عن طلبات API غير الاعتيادية، خاصةً الطلبات غير المصادق عليها إلى نقاط النهاية المقيدة.
إرشادات التصحيح:
5. تطبيق التصحيحات الرسمية من Ivanti فوراً: الإصدارات 11.10 و11.9 و11.8 من EPMM لديها تصحيحات متاحة — الترقية إلى أحدث إصدار مدعوم.
6. لـ MobileIron Core، تطبيق الإصلاح العاجل المقدم من البائع وفقاً للنشرة الأمنية SA-2023-0016.
7. التحقق من سلامة التصحيح باستخدام المجاميع الاختبارية المقدمة من البائع قبل النشر.
ضوابط التعويض (في حال تأخر التصحيح):
8. تطبيق قائمة السماح بعناوين IP لتقييد الوصول إلى بوابة إدارة EPMM على نطاقات IP الإدارية المعروفة فقط.
9. نشر قاعدة WAF لحجب الطلبات المطابقة لأنماط مسار API الضعيف.
10. تفعيل المصادقة متعددة العوامل على جميع الحسابات الإدارية.
11. تعطيل نقاط نهاية API غير الضرورية عبر لوحة الإدارة.
قواعد الكشف:
12. قاعدة SIEM: تنبيه عند استجابات HTTP 200 لمسارات /mifs/aad/api/v2/* دون رأس Authorization صالح.
13. مراقبة طلبات تعداد الأجهزة بالجملة (أكثر من 50 طلب API في الدقيقة من IP واحد).
14. التحقق من إنشاء حسابات إدارية جديدة أو تغييرات في الإعدادات بعد الاستغلال.
15. نشر قائمة مؤشرات الاختراق المقدمة من Ivanti ودمجها مع موجزات استخبارات التهديدات.
16. إجراء مراجعة جنائية لسجلات EPMM للأشهر الثلاثة الماضية للكشف عن أي استغلال سابق محتمل.
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC-1: 3-2 — Asset Management and Classification
ECC-1: 4-1 — Identity and Access Management (IAM)
ECC-1: 4-2 — Authentication and Authorization Controls
ECC-1: 5-1 — Cybersecurity Event Logging and Monitoring
ECC-1: 6-1 — Vulnerability Management
ECC-1: 7-1 — Mobile Device Security
ECC-1: 2-4 — Third-Party and Cloud Security
🔵 SAMA CSF
3.3 — Cyber Security Operations (Vulnerability Management)
3.4 — Third-Party Cybersecurity
4.2 — Access Control Management
4.3 — Identity Management
4.7 — Mobile Device Security
5.1 — Cybersecurity Incident Management
🟡 ISO 27001:2022
A.8.8 — Management of Technical Vulnerabilities
A.8.3 — Information Access Restriction
A.5.15 — Access Control
A.5.16 — Identity Management
A.8.12 — Data Leakage Prevention
A.8.19 — Installation of Software on Operational Systems
A.6.7 — Remote Working (Mobile Device Policy)
🟣 PCI DSS v4.0
Requirement 6.3 — Security Vulnerabilities are Identified and Addressed
Requirement 6.3.3 — All System Components Protected from Known Vulnerabilities
Requirement 7.2 — Access to System Components is Appropriately Defined
Requirement 8.2 — User Identification and Authentication
Requirement 12.3.2 — Targeted Risk Analysis for Mobile Devices
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Ivanti:Endpoint Manager Mobile (EPMM) and MobileIron Core