Ivanti has confirmed that a recently discovered vulnerability affecting its Sentry mobile gateway has been exploited in attacks.
The existence of the vulnerability, tracked as CVE-2023-38035 and rated ‘critical severity’, came to light on August 21. Ivanti said the flaw allows an unauthenticated attacker to “access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal”.
Mnemonic, the cybersecurity firm that reported the issue to Ivanti, revealed that a hacker could exploit the weakness to “read and write files to the Ivanti Sentry server and execute OS commands as system administrator (root) through use of ‘super user do’ (sudo)”.
The advisory that Ivanti initially made public was not clear on whether the vulnerability has actually been exploited in the wild as a zero-day, only saying that the company was “aware of a limited number of customers impacted by CVE-2023-38035”.
In a knowledge base article that was published later, however, Ivanti clarified that it’s aware of active exploitation of the zero-day against a very limited number of customers. This suggests that the flaw has been exploited in highly targeted attacks, possibly by state-sponsored threat actors.
Other recently found Ivanti product vulnerabilities — CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) — have been exploited in attacks aimed at the Norwegian government. Attacks exploiting the vulnerabilities reportedly also targeted police in Switzerland.
Ivanti also clarified that it learned about CVE-2023-38035 exploitation after CVE-2023-35078 and CVE-2023-35081.
The vendor noted that this is not a supply chain attack and that its own systems have not been compromised because it does not use Sentry internally.
The US Cybersecurity and Infrastructure Security Agency (CISA) also confirmed active exploitation of CVE-2023-38035, adding it to its Known Exploited Vulnerabilities Catalog and instructing government agencies to address it by September 12.
The Ivanti Sentry vulnerability impacts versions 9.18, 9.17, 9.16 and prior, and the vendor has released RPM scripts that should prevent exploitation against supported versions. The vendor also pointed out that attacks are only possible through the System Manager Portal on port 8443 and the risk of exploitation is low when this port is not exposed to the internet.
Also on Tuesday, in addition to the Ivanti product vulnerability, CISA added CVE-2023-27532 to its ‘must patch’ list. This is a Veeam Cloud Connect Replication flaw that was seen being exploited by the FIN7 cybercrime group in the spring and more recently by the Cuba ransomware group.