CVE-2023-35078

CRITICAL KEV RANSOMWARE NUCLEI

Ivanti Endpoint Manager Mobile < 11.8.1.1 - Unauthenticated Authentication Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-35078 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 25, 2023, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including vchan-in, vaishnochaitanya, raytheon0x21. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2023-35078, an unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile (EPMM). It checks for vulnerable versions and extracts user data via an insecure API endpoint.

Description

An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication.

Exploits (9)

nomisec WORKING POC 118 stars
by vchan-in · infoleak
https://github.com/vchan-in/CVE-2023-35078-Exploit-POC

This PoC exploits CVE-2023-35078, an unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile (EPMM). It checks for vulnerable versions and extracts user data via an insecure API endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ivanti Endpoint Manager Mobile (EPMM) versions <= 11.4
No auth needed
Prerequisites: Network access to the target EPMM instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 117 stars
by vaishnochaitanya · poc
https://github.com/vaishnochaitanya/CVE-2023-35078-Exploit-POC

This repository contains a functional Python script that exploits CVE-2023-35078, an unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile (EPMM). The script checks for vulnerable versions and extracts user data via an insecure API endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ivanti Endpoint Manager Mobile (EPMM) versions <= 11.4
No auth needed
Prerequisites: Network access to the target EPMM instance
devstral-2 · analyzed May 30, 2026 Full analysis →
nomisec WORKING POC 5 stars
by raytheon0x21 · poc
https://github.com/raytheon0x21/CVE-2023-35078

This Go-based PoC exploits CVE-2023-35078, an unauthenticated API access vulnerability in Ivanti MobileIron. It checks for vulnerable versions (≤11.4) and extracts user data via an insecure endpoint.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ivanti MobileIron (versions ≤11.4)
No auth needed
Prerequisites: Network access to the target · Vulnerable Ivanti MobileIron instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 5 stars
by lager1 · poc
https://github.com/lager1/CVE-2023-35078

This repository contains a Bash script to check if a target Ivanti EPMM (formerly MobileIron Core) instance is vulnerable to CVE-2023-35078 by examining version and copyright information. It does not exploit the vulnerability but helps identify potentially vulnerable systems.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ivanti EPMM (MobileIron Core) versions 11.8.1.1, 11.9.1.1, 11.10.0.2 and below
No auth needed
Prerequisites: Network access to the target system · Target system running Ivanti EPMM
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0nsec · remote
https://github.com/0nsec/CVE-2023-35078

This is a Python-based proof-of-concept exploit for CVE-2023-35078, targeting Ivanti MobileIron Core's unauthenticated API access vulnerability. It extracts sensitive user data by exploiting improper authentication validation in the `/mifs/aad/api/v2/authorized/users` endpoint.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Ivanti MobileIron Core (versions 11.2 prior to CU21, 11.3 prior to CU18, 11.4 prior to CU8)
No auth needed
Prerequisites: Network access to the target system · Python 3.6+ · Requests library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 1 stars
by emanueldosreis · infoleak
https://github.com/emanueldosreis/nmap-CVE-2023-35078-Exploit

This repository contains only a README describing an Nmap script for exploiting CVE-2023-35078, but no actual exploit code is provided. The README instructs users to save a script file and run it with Nmap, but the script itself is missing.

Classification
Stub 80%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Mobile Iron Core
No auth needed
Prerequisites: Nmap installed · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/Ivanti/EPMM/CVE-2023-35078

The repository contains a functional Python script that exploits CVE-2023-35078, an authentication bypass vulnerability in Ivanti EPMM. The script checks the target version and exploits an unauthenticated API endpoint to dump user data.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Ivanti Endpoint Manager Mobile (EPMM) <= 11.4
No auth needed
Prerequisites: network access to the target · vulnerable version of Ivanti EPMM
devstral-2 · analyzed May 22, 2026 Full analysis →
nomisec SCANNER
by Blue-number · remote
https://github.com/Blue-number/CVE-2023-35078

This PoC checks for the presence of CVE-2023-35078, an information disclosure vulnerability in Ivanti Endpoint Manager Mobile (EPMM). It sends a GET request to a specific endpoint and checks if the response status code is 200, indicating potential vulnerability.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ivanti Endpoint Manager Mobile (EPMM)
No auth needed
Prerequisites: Network access to the target EPMM instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by synfinner · infoleak
https://github.com/synfinner/CVE-2023-35078

This script checks for the presence of CVE-2023-35078 by querying the `/mifs/aad/api/v2/ping` endpoint of Ivanti EPMM. It verifies vulnerability by checking the response for a `vspVersion` field, indicating an info leak.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Ivanti EPMM (MobileIron Core)
No auth needed
Prerequisites: Network access to the target Ivanti EPMM instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ivanti Endpoint Manager Mobile (EPMM) - Authentication Bypass
CRITICALVERIFIEDby parth,pdresearch
Shodan: http.favicon.hash:362091310 || http.favicon.hash:"362091310"
FOFA: icon_hash="362091310"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9444
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-07-25
VulnCheck KEV 2023-07-24
InTheWild.io 2023-07-25
ENISA EUVD EUVD-2023-39113
Ransomware Use Confirmed
CWE
CWE-287
Status published
Products (1)
ivanti/endpoint_manager_mobile < 11.8.1.1
Published Jul 25, 2023
KEV Added Jul 25, 2023
Tracked Since Feb 18, 2026