Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082

Status: production
Severity: medium
Group by: Web.src, Web.status, Web.url_length, c-uri, c-useragent, cs-host, cs-method
Author: Michael Haag, Splunk
Source: github.com/splunk/security_content

The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products. It identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access. This activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications. If confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1133` External Remote Services, `T1190` Exploit Public-Facing Application
Persistence	`T1133` External Remote Services

Rule body splunk

name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
id: e03edeba-4942-470c-a664-27253f3ad351
version: 10
creation_date: '2023-08-08'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: TTP
description: |-
    The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products.
    It identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access.
    This activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications.
    If confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks.
data_source:
    - Suricata
search: |-
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime
    
    FROM datamodel=Web WHERE
    
    Web.url="*/mifs/asfV3/api/v2/*"
    Web.status=200
    
    BY Web.http_user_agent Web.status Web.http_method
       Web.url Web.url_length Web.src Web.dest
    
    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`
how_to_implement: |-
    To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.
known_false_positives: |-
    Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability.
    False positives may be present if status=200 is removed from the search.
    If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts.
    Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
references:
    - https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
    - https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py
    - https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - Ivanti EPMM Remote Unauthenticated Access
asset_type: Web Server
cve:
    - CVE-2023-35082
mitre_attack_id:
    - T1190
    - T1133
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log
          source: not_applicable
          sourcetype: suricata
      test_type: unit

Stages and Predicates

Stage 1: `tstats`

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

FROM datamodel=Web WHERE

Web.url="*/mifs/asfV3/api/v2/*"
Web.status=200

BY Web.http_user_agent Web.status Web.http_method
   Web.url Web.url_length Web.src Web.dest

Stage 2: `search`

| `drop_dm_object_name("Web")`

Stage 3: `search`

| `security_content_ctime(firstTime)`

Stage 4: `search`

| `security_content_ctime(lastTime)`

Stage 5: `search`

| `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Web.status`	eq	`200`
`Web.url`	eq	`"/mifs/asfV3/api/v2/"`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`

Indicators

Keyboard shortcuts

Search operators

Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: search

Stage 4: search

Stage 5: search

Indicators

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`