Ivanti has confirmed that a recently discovered vulnerability affecting its Sentry mobile gateway has been exploited in attacks.
The existence of the vulnerability, tracked as CVE-2023-38035 and rated ‘critical severity’, came to light on August 21. Ivanti said the flaw allows an unauthenticated attacker to “access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal”.
Mnemonic, the cybersecurity firm that reported the issue to Ivanti, revealed that a hacker could exploit the weakness to “read and write files to the Ivanti Sentry server and execute OS commands as system administrator (root) through use of ‘super user do’ (sudo)”.
The advisory that Ivanti initially made public was not clear on whether the vulnerability has actually been exploited in the wild as a zero-day, only saying that the company was “aware of a limited number of customers impacted by CVE-2023-38035”.
In a knowledge base article that was published later, however, Ivanti clarified that it’s aware of active exploitation of the zero-day against a very limited number of customers. This suggests that the flaw has been exploited in highly targeted attacks, possibly by state-sponsored threat actors.
Other recently found Ivanti product vulnerabilities — CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) — have been exploited in attacks aimed at the Norwegian government. Attacks exploiting the vulnerabilities reportedly also targeted police in Switzerland.
Ivanti also clarified that it learned about CVE-2023-38035 exploitation after CVE-2023-35078 and CVE-2023-35081.
The vendor noted that this is not a supply chain attack and that its own systems have not been compromised because it does not use Sentry internally.
The US Cybersecurity and Infrastructure Security Agency (CISA) also confirmed active exploitation of CVE-2023-38035, adding it to its Known Exploited Vulnerabilities Catalog and instructing government agencies to address it by September 12.
The Ivanti Sentry vulnerability impacts versions 9.18, 9.17, 9.16 and prior, and the vendor has released RPM scripts that should prevent exploitation against supported versions. The vendor also pointed out that attacks are only possible through the System Manager Portal on port 8443 and the risk of exploitation is low when this port is not exposed to the internet.
Also on Tuesday, in addition to the Ivanti product vulnerability, CISA added CVE-2023-27532 to its ‘must patch’ list. This is a Veeam Cloud Connect Replication flaw that was seen being exploited by the FIN7 cybercrime group in the spring and more recently by the Cuba ransomware group.
Related: Citrix Zero-Day Exploited Against Critical Infrastructure Organization
Related: Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities
Related: Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
