The IT software company has rolled out urgent patches to fix a zero-day vulnerability affecting the Ivanti Sentry (formerly MobileIron Sentry) product.
The vulnerability, tracked as CVE-2023-38035, is an improper authentication issue that could be exploited by a remote hacker to bypass authentication process and execute arbitrary code on the system. Ivanti Sentry versions 9.18 and prior are said to be impacted.
The bug does not affect other Ivanti products or solutions, such as Ivanti EPMM, MobileIron Cloud or Ivanti Neurons for MDM.
“If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure Ivanti Sentry on the administrator portal (commonly, MICS). While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose 8443 to the internet,” the company said in a security advisory.
Ivanti didn’t share any details regarding how and when the vulnerability has been exploited. The company said it's “only aware of a limited number of customers” who have been affected.
The development comes in less than a month after it was revealed that a couple of zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) product were exploited in the attacks on the Norwegian government.