CVE-2023-38035
CVE-2023-38035 is a critical-severity vulnerability in Ivanti Mobileiron Sentry with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-08-22). The underlying weakness is classified as CWE-863.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-08-22)
- EU (EUVD) id: EUVD-2023-41862
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-08-22)
- Weakness: CWE-863
- Affected product: Ivanti Mobileiron Sentry
- Published:
- Last modified:
Description
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
Ivanti MobileIron Sentry MICS Admin Portal Authentication Bypass (CVE-2023-38035)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2023-38035 |
| Vendor | Ivanti |
| Product | MobileIron Sentry |
| CVSS v3.1 | 9.8 (Critical) |
| EPSS | 0.99949 (99.95th percentile) |
| CWE | CWE-863 — Incorrect Authorization |
| KEV | Listed (2023-08-22) |
| Exploited in EU | Yes (since 2023-08-22) |
| Published | 2023-08-21 |
| Assigner | HackerOne |
Summary
The MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below is vulnerable to an authentication bypass caused by an insufficiently restrictive Apache HTTPD configuration. An unauthenticated remote attacker can leverage this flaw to access the administrative interface, potentially leading to full system compromise.
Background
Ivanti MobileIron Sentry is a mobile gateway appliance that sits between an organization's mobile devices and its backend enterprise systems. The MICS (MobileIron Configuration Service) Admin Portal provides administrative access to manage the Sentry appliance. In affected versions, the underlying Apache HTTPD server is configured in a way that fails to enforce authentication on the administrative interface, allowing requests to reach protected endpoints without valid credentials.
Root Cause
The vulnerability is classified as CWE-863 (Incorrect Authorization). The Apache HTTPD configuration governing the MICS Admin Portal does not adequately restrict access to the administrative interface. This misconfiguration allows HTTP requests to bypass the intended authentication layer, effectively treating unauthenticated traffic as authorized for privileged endpoints.
Impact
With a CVSS v3.1 score of 9.8 (Critical), the impact is severe across all dimensions. The attack vector is Network, requires no privileges, no user interaction, and has Low attack complexity. Confidentiality, Integrity, and Availability are all rated HIGH. Successful exploitation grants an attacker full administrative access to the Sentry appliance, enabling configuration changes, data exfiltration, lateral movement, or service disruption.
Exploitation Walkthrough
Ethics Notice: This section describes the vulnerability mechanism for defensive purposes only. No weaponized exploit code is provided, and the information should be used to improve detection and remediation.
The flaw is architectural and configuration-based. An attacker can send crafted HTTP requests directly to the MICS Admin Portal endpoints without providing valid credentials. Because the Apache HTTPD configuration fails to enforce authentication, the appliance processes the request as if it originated from an authenticated administrator. No exploit code is required; the attack is essentially a direct request to a misconfigured resource. This vulnerability has been actively exploited in the wild since August 2023. Organizations should treat any Sentry appliance exposed to untrusted networks as potentially compromised.
Affected and Patched Versions
- Affected: Ivanti MobileIron Sentry versions 9.18.0 and below.
- Patched: The vendor has released patches; administrators should consult Ivanti's security advisory for the specific fixed version applicable to their deployment.
Remediation
- Upgrade Ivanti MobileIron Sentry to a patched version as soon as possible. Refer to Ivanti's official advisory for the exact fixed release.
- Restrict network access to the MICS Admin Portal to trusted administrative hosts only. Use firewall rules or VPN enforcement to eliminate internet-facing exposure.
- Review Apache HTTPD configuration files for overly permissive access controls or missing authentication directives.
- Rotate credentials after patching and review appliance logs for unauthorized access.
- Consider removing the MICS Admin Portal from internet-facing interfaces entirely.
Detection
- Monitor access logs for HTTP requests to the MICS Admin Portal from unexpected source IPs or geographies.
- Look for POST/PUT/DELETE requests to administrative endpoints without preceding authentication events.
- Correlate network traffic with successful logins from new or anomalous user-agent strings.
- Check for unauthorized configuration changes or newly created administrative accounts on the appliance.
- Review TLS/SSL termination logs for unusual patterns targeting the admin interface.
Assessment
EPSS: 0.99949 (99.95th percentile) indicates near-certain exploitation probability in the wild. The presence on CISA's KEV catalog (added 2023-08-22) and EU exploited status confirm this is not theoretical. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) describes a "perfect storm" vulnerability: trivial to exploit remotely with no barriers and maximum impact.
Lessons:
- Administrative interfaces must never be exposed to untrusted networks without strong authentication and network segmentation.
- Configuration drift in web servers (Apache HTTPD) can silently invalidate application-layer access controls; regular configuration audits are essential.
References
- http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html
- https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38035
Frequently asked questions
- What is CVE-2023-38035?
- A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
- How severe is CVE-2023-38035?
- CVE-2023-38035 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-38035 being actively exploited?
- Yes. CVE-2023-38035 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-08-22, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-38035?
- CVE-2023-38035 affects Ivanti Mobileiron Sentry. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-38035?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-38035 have an EU (EUVD) identifier?
- Yes. CVE-2023-38035 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-41862. It is also flagged as exploited in the EUVD (since 2023-08-22).
- When was CVE-2023-38035 published?
- CVE-2023-38035 was published on 2023-08-21 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html
- https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38035
Affected products (1)
- cpe:2.3:a:ivanti:mobileiron_sentry:*:*:*:*:*:*:*:*
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →