Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploitation of Ivanti Sentry Zero-Day Confirmed

While initially it was unclear if the Ivanti Sentry vulnerability CVE-2023-38035 has been exploited, the vendor and CISA have now confirmed it.

Ivanti zero-day

Ivanti has confirmed that a recently discovered vulnerability affecting its Sentry mobile gateway has been exploited in attacks.

The existence of the vulnerability, tracked as CVE-2023-38035 and rated ‘critical severity’, came to light on August 21. Ivanti said the flaw allows an unauthenticated attacker to “access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal”. 

Mnemonic, the cybersecurity firm that reported the issue to Ivanti, revealed that a hacker could exploit the weakness to “read and write files to the Ivanti Sentry server and execute OS commands as system administrator (root) through use of ‘super user do’ (sudo)”.

The advisory that Ivanti initially made public was not clear on whether the vulnerability has actually been exploited in the wild as a zero-day, only saying that the company was “aware of a limited number of customers impacted by CVE-2023-38035”.

In a knowledge base article that was published later, however, Ivanti clarified that it’s aware of active exploitation of the zero-day against a very limited number of customers. This suggests that the flaw has been exploited in highly targeted attacks, possibly by state-sponsored threat actors. 

Other recently found Ivanti product vulnerabilities — CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) — have been exploited in attacks aimed at the Norwegian government. Attacks exploiting the vulnerabilities reportedly also targeted police in Switzerland.

Ivanti also clarified that it learned about CVE-2023-38035 exploitation after CVE-2023-35078 and CVE-2023-35081.

The vendor noted that this is not a supply chain attack and that its own systems have not been compromised because it does not use Sentry internally. 

Advertisement. Scroll to continue reading.

The US Cybersecurity and Infrastructure Security Agency (CISA) also confirmed active exploitation of CVE-2023-38035, adding it to its Known Exploited Vulnerabilities Catalog and instructing government agencies to address it by September 12. 

The Ivanti Sentry vulnerability impacts versions 9.18, 9.17, 9.16 and prior, and the vendor has released RPM scripts that should prevent exploitation against supported versions. The vendor also pointed out that attacks are only possible through the System Manager Portal on port 8443 and the risk of exploitation is low when this port is not exposed to the internet. 

Also on Tuesday, in addition to the Ivanti product vulnerability, CISA added CVE-2023-27532 to its ‘must patch’ list. This is a Veeam Cloud Connect Replication flaw that was seen being exploited by the FIN7 cybercrime group in the spring and more recently by the Cuba ransomware group.

Related: Citrix Zero-Day Exploited Against Critical Infrastructure Organization

Related: Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities

Related: Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.