How to Fix CVE-2023-35082: Ivanti EPMM / MobileIron Core Auth Bypass

*By Sai Kiran Pandrala*

⚠️ Patch or take offline. This CVE was chained with CVE-2023-35078 in real attacks for full unauthenticated RCE. CISA added it to KEV on January 18, 2024. Public exploit code exists.

What is CVE-2023-35082?

Ivanti EPMM (the rebranded name for what used to be called MobileIron Core) exposes a management API. The authentication check on certain API paths is missing or improperly applied in EPMM 11.10 and earlier. An unauthenticated remote attacker can call those paths and access restricted functionality, including reading and modifying device records.

By itself the bug is "just" unauthenticated information disclosure plus partial admin functionality. But CVE-2023-35082 was disclosed alongside CVE-2023-35078, and the combination chained into full remote code execution on the EPMM appliance, which is how the active-exploitation reports started rolling in. CISA's KEV listing reflects the combined risk.

EPMM manages enterprise mobile devices (BYOD policies, app pushes, MDM certificates, VPN configs). A compromised EPMM gives an attacker policy-level control over every managed iPhone, Android device, and corporate laptop in the fleet.

Am I affected?

You are affected if either is true:

• You run Ivanti EPMM version 11.10 or earlier (no patch applied)
• You run legacy MobileIron Core 11.2 or earlier (end-of-life, should already be retired)

To check EPMM version:

1. Log into the EPMM Admin Portal.
2. Go to Settings → System Information. The build number is at the top of the page.
3. Or SSH into the appliance and run:

   show version

If the displayed version is 11.10 or below and the patched build (per Ivanti's knowledge article) is not installed, you are affected.

If you are still running MobileIron Core (any version), the urgency is higher. MobileIron Core has been end-of-life since November 2022 — Ivanti is not issuing fixes for it. The remediation is to migrate to EPMM (the supported product) on a patched build.

How to fix CVE-2023-35082

For Ivanti EPMM

1. Open the Ivanti knowledge article linked in the references section. Ivanti publishes the exact patched build per supported train. The minimum fixed version is EPMM 11.10.0.2, but the recommended target is the latest GA release on the supported train.

1. Download the patch bundle from the Ivanti support portal (your maintenance contract entitles you to access).

1. Back up the appliance config. From the EPMM CLI:

   system backup

Verify the backup file is present in the configured backup repository before proceeding.

1. Apply the patch from the Admin Portal under Settings → System Maintenance → Software Updates. Upload the patch package, validate the signature, install.

1. Reboot the appliance when prompted. For HA pairs (active/standby), patch the standby first, fail over, then patch the formerly-active.

1. Re-enroll a test device after the upgrade to confirm device-management flows still work end-to-end.

For mobileiron core (end-of-life)

The only supported remediation path is to migrate to Ivanti EPMM. There is no security patch for MobileIron Core 11.2 or earlier. Ivanti's published guidance:

1. Stand up a new EPMM appliance at the latest supported build.
2. Use Ivanti's MobileIron Core → EPMM migration tooling to move device records.
3. Decommission the old MobileIron Core appliance immediately after migration.

If migration cannot happen in your patch window, take the MobileIron Core appliance off the public network at minimum, it should never have been internet-exposed in the first place.

If you can't patch immediately

Ivanti's advisory does not provide a feature-toggle workaround. The vulnerable API paths are part of the core EPMM service. Compensating controls:

• Block public access to the EPMM admin and API ports at your perimeter firewall. EPMM should be reachable from mobile devices via the gateway (which is a separate component), not via direct admin-port exposure.
• Restrict admin access to a known administrative network and/or VPN-only.
• Increase logging and monitoring on the EPMM access logs. Look for unauthenticated requests to API endpoints that should require auth, those are exploitation attempts.

How to verify the fix worked

1. From the EPMM CLI:

   show version

Output should show the patched build (11.10.0.2 or higher, on a supported train).

1. From the Admin Portal, Settings → System Information displays the same build identifier.

1. Test the previously-vulnerable API paths with an unauthenticated client:

   curl -i -k https://<your-epmm>/api/v2/authorized/users

The expected post-patch response is HTTP 401 Unauthorized, not 200 with data.

1. Run an authenticated vulnerability scan. The CVE-2023-35082 finding should clear.

Frequently asked questions

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2023-41727: An attacker sending specially crafted data packets to the Mobile Device Serve... in Wavelink — An attacker sending specially crafted data packets to the Mobile Device Serve... in Wavelink
• How to Fix CVE-2023-46221: Avalanche (Bundle Sibling) , Avalanche (Bundle Sibling)
• How to Fix CVE-2023-46216: Wavelink (Bundle Sibling) , Wavelink (Bundle Sibling)
• How to Fix CVE-2023-46808: Arbitrary File Upload in ITSM , Arbitrary File Upload in ITSM
• How to Fix CVE-2023-46259: Avalanche (Bundle Sibling) , Avalanche (Bundle Sibling)

Is CVE-2023-35082 being exploited?

Yes. CISA's KEV listing on January 18, 2024 documents confirmed in-the-wild exploitation, and the vulnerability was chained with CVE-2023-35078 in observed attacks for full unauthenticated RCE.

What is the relationship between CVE-2023-35082 and CVE-2023-35078?

They are two separate Ivanti EPMM vulnerabilities disclosed in the same window. CVE-2023-35078 is the higher-impact RCE; CVE-2023-35082 is the auth bypass. In real attacks they were chained together. Patch covers both when you upgrade to the fixed EPMM build.

Is MobileIron Sentry affected?

MobileIron Sentry is a separate product (the gateway component) and has its own CVEs. Check the specific Sentry advisory separately if you run it. The Ivanti EPMM patch fixes only EPMM.

References

• Official Ivanti knowledge article: https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulne
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-35082
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from the official Ivanti knowledge article, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Ivanti's advisory before applying changes in production.*