The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners are releasing a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities. This advisory provides details on the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2022, and the associated Common Weakness Enumeration(s) (CWE), to help organizations better understand the impact exploitation could have on their systems. International partners include: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), New Zealand Computer Emergency Response Team (CERT-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

The authoring agencies urge all organizations to review and implement the recommended mitigations detailed in this advisory.  The advisory provides vendors, designers, and developers recommendations on implementing secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in their software and end-user organizations’ recommendations to reduce the risk of compromise by malicious cyber actors. 

Organizations should share information about incidents and unusual cyber activity with their respective cybersecurity authorities because when cyber incidents are reported quickly, it can contribute to stopping further attacks.

In the U.S., organizations should inform CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or an FBI field office.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells. 

In July 2023, NCSC-NO became aware of advanced persistent threat (APT) actors exploiting a zero-day vulnerability in Ivanti EPMM, formerly known as MobileIron Core, to target a Norwegian government network. CISA and NCSC-NO are concerned about the potential for widespread exploitation of both vulnerabilities in government and private sector networks because threat actors, including APT actors, have previously exploited a MobileIron vulnerability.  

Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.   

CISA and NCSC-NO recommend administrators use the CISA developed nuclei templates to determine if their system has these vulnerabilities and use the NCSC-NO developed checklist to identify signs of compromise. 

All organizations are urged to review Threat Actors Exploiting Ivanti EPMM Vulnerabilities and implement its recommended actions and mitigations. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2023-35801 Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Ivanti has identified and released patches for a directory traversal vulnerability (CVE-2023-35081, CWE-22) in Ivanti Endpoint Manager Mobile (EPMM). This vulnerability allows an attacker with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. The attacker could then execute the uploaded file, for example, a web shell. To gain EPMM administrator privileges, the attacker could exploit CVE-2023-35078 on an unpatched system.

Ivanti reports active exploitation of both CVE-2023-35081 and CVE-2023-35078. 

This vulnerability affects supported EPMM versions 11.10, 11.9, and 11.8. Older, unsupported versions are also affected. 

CISA urges users and organizations to patch both CVE-2023-35081 and CVE-2023-35078. Patches for CVE-2023-35081 also include patches for CVE-2023-35078 (refer to our prior alert.)

CISA released five Industrial Control Systems (ICS) advisories on July 27, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-23-208-01 ETIC Telecom RAS Authentication
• ICSA-23-208-02 PTC KEPServerEX
• ICSA-23-208-03 Mitsubishi Electric CNC Series
• ICSA-22-307-01 ETIC RAS (Update A)
• ICSA-22-172-01 Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update B)

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.