Patch your Ivanti EPMM – Norwegian government hacked via 0-day

Sicherheit (Pexels, allgemeine Nutzung)[German]Administrators should ugently patch its Ivanti EPMM used in their environment, because older version contains a 0-day vulnerability. In Norway, the ICT platform (information and communications system) on which 12 ministries operate was attacked via this 0-day vulnerability.


The cyber incident

I became aware recently of the cyber incident yesterday from my colleagues at Bleeping Computer. he Norwegian DSS has released this statement about it. The facts in a nutshell:

  • The Norwegian government's security and service organization has uncovered a data attack on the ICT platform of 12 ministries. The case is currently under police investigation.
  • The relevant authorities and institutions have been informed of the incident, and government work continues. The DSS has taken a number of security measures to protect information stored on the ICT platform, it says. Further security measures may be required, which is under ongoing review.
  • DSS has established a crisis team and is investigating and managing the incident with support from the Norwegian Security Agency (NSM) and other security organizations.
  • The hack was discovered through a previously unknown vulnerability in a supplier's software. This vulnerability was exploited by an unknown actor. That vulnerability has now been closed, it said.

The DSS release said it is too early to say anything about who was behind the attack and its extent. Investigations and police inquiries will be able to shed more light, hopes Erik Hope, director of the Norwegian Government Organization for Security and Service (DSS).

Attack via 0-Day in Ivanti EPMM

The colleagues at Bleeping Computer have been staying on the topic – I've only been following it on the sidelines. In this post they reported that the attack could take place over a 0-Day. They say the Norwegian Security Authority (NSM) confirmed that attackers exploited a zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM, MobileIron Core) to hack and penetrate the software platform used by 12 Norwegian ministries.

According to the NSM, it was the first time exploitation of the vulnerability had been observed. "This vulnerability was unique and was discovered for the first time here in Norway. If we had published the information about the vulnerability too early, it could have contributed to it being abused elsewhere in Norway and the rest of the world. The update is now publicly available, and it is wise to disclose the nature of the vulnerability," says Sofie Nystrøm, director of the Norwegian Security Agency.

The NCSC now advises of an actively exploited zero-day vulnerability, CVE-2023-35078, in the Ivanti Endpoint Manager (EPMM) product, formerly known as MobileIron Core. The vulnerability affects a number of versions of the software, and Ivanti provided details in this security advisory.


CVE-2023-35078 is an authentication bypass vulnerability in Ivanti EPMM that allows unauthorized users to access restricted features or resources of the application without proper authentication. If exploited, this vulnerability could potentially allow an unauthorized, remote (Internet-facing) actor to access users' personal information and make limited changes to the server.

This vulnerability affects all supported versions – version 11.4, 11.10, 11.9 and 11.8 and has received CVSS index of 10.0 . Older versions/releases are also at risk. The alert states that Ivanti is only aware of a very limited number of customers that are affected. They are actively working with customers and partners to investigate this situation. Since the Norwegians have closed the vulnerability, there seem to be mitigations or patches.

Vianti has probably given hints in the Knowledge Base article – but it is only accessible to customers after registration. The colleagues from Bleeping Computer write that according to the search engine, more than 2900 instances of the Ivanti platform are publicly accessible via the Internet. About three dozen portals belong to local or state US authorities, some are also located in Germany, the UK and Hong Kong.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *