CVE-2023-38035

CRITICAL KEV RANSOMWARE NUCLEI

Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2023-38035 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 22, 2023, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including horizon3ai, LeakIX, mind2hex, including a Metasploit module exploits/linux/http/ivanti_sentry_misc_log_service. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-38035, an unauthenticated command injection vulnerability in Ivanti Sentry. The exploit uses a Hessian proxy to interact with the vulnerable service endpoint and execute arbitrary commands as the root user.

Description

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

Exploits (5)

nomisec WORKING POC 40 stars
by horizon3ai · remote
https://github.com/horizon3ai/CVE-2023-38035

This repository contains a functional exploit for CVE-2023-38035, an unauthenticated command injection vulnerability in Ivanti Sentry. The exploit uses a Hessian proxy to interact with the vulnerable service endpoint and execute arbitrary commands as the root user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Sentry
No auth needed
Prerequisites: Network access to the target Ivanti Sentry instance · Python environment with required dependencies
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 7 stars
by LeakIX · remote
https://github.com/LeakIX/sentryexploit

This repository contains a functional exploit for CVE-2023-38035, an authentication bypass vulnerability in MobileIron Sentry. The exploit uses Hessian serialization to invoke the 'getApplianceLicenseInfo' method, extracting company name and contact email without authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: MobileIron Sentry (Ivanti Sentry)
No auth needed
Prerequisites: Network access to the target Sentry appliance on port 8443
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by mind2hex · poc
https://github.com/mind2hex/CVE-2023-38035-MobileIron-RCE

This repository contains a functional exploit for CVE-2023-38035, targeting MobileIron systems via a Hessian-based deserialization vulnerability. The exploit includes a Python script (`hessian.py`) for command execution and a bash script (`mics_hunter.sh`) for automated scanning and reverse shell setup.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MobileIron Core & Sentry (versions affected by CVE-2023-38035)
No auth needed
Prerequisites: Shodan API key · Ngrok authtoken · Python3 · jq · terminator
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/mind2hex/MICS_Hunter

This repository contains a functional exploit for CVE-2023-38035, targeting MobileIron systems via a Hessian deserialization vulnerability. The exploit includes a Python script (`hessian.py`) for command execution and a bash script (`mics_hunter.sh`) for automated scanning and reverse shell execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MobileIron
No auth needed
Prerequisites: Shodan API key · ngrok configuration · Python dependencies (pyhessian) · ncat binary
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Zach Hanley, James Horseman, jheysel-r7 · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_sentry_misc_log_service.rb

This Metasploit module exploits an authentication bypass in Ivanti Sentry (CVE-2023-38035) to achieve remote code execution as root via the Hessian binary web service protocol. It leverages the `uploadFileUsingFileInput` function to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Sentry (versions prior to patch)
No auth needed
Prerequisites: Network access to port 8443/TCP · Vulnerable Ivanti Sentry instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ivanti Sentry - Authentication Bypass
CRITICALVERIFIEDby DhiyaneshDk,iamnoooob,rootxharsh
Shodan: html:"Note: Requires a local Sentry administrative user" || http.html:"note: requires a local sentry administrative user"
FOFA: body="note: requires a local sentry administrative user"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9442
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-08-22
VulnCheck KEV 2023-08-22
InTheWild.io 2023-08-21
ENISA EUVD EUVD-2023-41862
Ransomware Use Confirmed
CWE
CWE-863
Status published
Products (1)
ivanti/mobileiron_sentry < 9.18.0
Published Aug 21, 2023
KEV Added Aug 22, 2023
Tracked Since Feb 18, 2026