← Back to Explore
splunk_escuTTP
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products. It identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access. This activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications. If confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks.
Detection Query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/mifs/asfV3/api/v2/*"
Web.status=200
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`Author
Michael Haag, Splunk
Created
2026-03-27
Data Sources
Suricata
References
- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
- https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py
- https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/
Tags
Ivanti EPMM Remote Unauthenticated Access
Raw Content
name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
id: e03edeba-4942-470c-a664-27253f3ad351
version: 8
date: '2026-03-27'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
- Suricata
description: |-
The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivanti's software products.
It identifies access to the specific URI path /mifs/asfV3/api/v2/ with an HTTP 200 response code in web access logs, indicating successful unauthorized access.
This activity is significant for a SOC as it highlights potential security breaches that could lead to unauthorized data access or system modifications.
If confirmed malicious, an attacker could gain unbridled access to sensitive organizational data or modify systems maliciously, posing severe security risks.
search: |-
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/mifs/asfV3/api/v2/*"
Web.status=200
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`
how_to_implement: |-
To implement this analytic, a network product similar to Suricata or Palo Alto needs to be mapped to the Web datamodel. Modify accordingly to work with your products.
known_false_positives: |-
Similar to CVE-2023-35078, the path for exploitation indicates that status=200 is required for successful exploitation of the vulnerability.
False positives may be present if status=200 is removed from the search.
If it is removed,then the search also alert on status=301 and status=404 which indicates unsuccessful exploitation attempts.
Analysts may find it useful to hunt for these status codes as well, but it is likely to produce a significant number of alerts as this is a widespread vulnerability.
references:
- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-API-Access-Vulnerability-in-MobileIron-Core-11-2-and-older?language=en_US
- https://github.com/vchan-in/CVE-2023-35078-Exploit-POC/blob/main/cve_2023_35078_poc.py
- https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.
risk_objects:
- field: dest
type: system
score: 50
threat_objects: []
tags:
analytic_story:
- Ivanti EPMM Remote Unauthenticated Access
asset_type: Web Server
cve:
- CVE-2023-35082
atomic_guid: []
mitre_attack_id:
- T1190
- T1133
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/ivanti/suricata_ivanti_CVE202335082.log
source: not_applicable
sourcetype: suricata