[co-author: Rachel Dalton]
CISA has added a new Ivanti vulnerability to its known exploited vulnerability catalogue. This vulnerability can be paired with other recently-reported vulnerabilities to permit threat actors to write malicious web shell files to the appliance.
CISA added a third vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) to its known exploited vulnerabilities (KEV) catalogue. This vulnerability is tracked as CVE-2023-35082 and has received a severity score of 9.8 out of 10—it can be used as a patch bypass for an additional Ivanti vulnerability that was used in against the Norwegian government in April 2023.
Previous Ivanti vulnerabilities have been addressed in Hogan Lovells thought leadership. Ivanti released a patch for the first vulnerability on January 22 and plans to release a patch for the second vulnerability on February 19. Ivanti is aware of CVE-2023-35082 and has encouraged customers to update their technology for the greatest possible protection.
CISA recommends federal agencies to apply patches to all existing vulnerabilities by February 8, 2024.
[View source.]
