CVE Catalog

Actively exploited in the wild

Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability

Ivanti — Endpoint Manager Mobile (EPMM) · Listed in the CISA KEV since 2023-07-31. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2023-35081

HighCVSS 7.2KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
63.32%

99th percentile — higher than 99% of all known CVEs

Summary

A path traversal vulnerability in Ivanti EPMM allows an authenticated administrator to write arbitrary files onto the appliance. It affects versions 11.10.x before 11.10.0.3, 11.9.x before 11.9.1.2, and 11.8.x before 11.8.1.2.

Risk Assessment

This vulnerability could lead to unauthorized access to the system and potential introduction of malware, threatening the integrity and confidentiality of organizational data.

Recommendation

It is recommended to update Ivanti EPMM to the latest version to mitigate this vulnerability. Additionally, an audit of administrator permissions in the system should be conducted.

Original NVD description (English source)

A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.10.0.3, 11.9.x < 11.9.1.2 and 11.8.x < 11.8.1.2) allows an authenticated administrator to write arbitrary files onto the appliance.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS