Hackers exploited a zero-day flaw in Ivanti’s mobile endpoint management software undetected for at least three months, U.S. and Norwegian cybersecurity agencies have warned.
It was confirmed last week that hackers had compromised multiple Norwegian government agencies by exploiting a previously undiscovered vulnerability in Ivanti Endpoint Manager Mobile (EPMM; formerly MobileIron Core), software that is also used by government departments across the United States and the United Kingdom.
While the impact of the cyberattacks on Norway’s ministries remains unknown, successful exploitation of the flaw — tracked as CVE-2023-35078 — allows unauthenticated access to users’ personal information and the ability to make changes to the vulnerable server. CISA warned last week that the flaw could be exploited to create an admin account on a vulnerable server, allowing for further server configuration changes.
CISA, along with the Norwegian National Cyber Security Centre (NCSC-NO), on Tuesday released an advisory warning that attackers have been abusing the zero-day flaw since as far back as April before exploitation was first discovered.
The advisory explains that unnamed government-backed actors “leveraged compromised small office/home office (SOHO) routers, including ASUS routers,” as proxies to conceal the source of their attacks. It also warns that hackers are leveraging a second vulnerability, tracked as CVE-2023-35081, which reduces the complexity of executing attacks. In an advisory published on Friday, Ivanti warned that the new remote arbitrary file write bug could allow a threat actor to remotely create, modify or delete files in the Ivanti EPMM server, and said it can be used in conjunction with the previous flaw to bypass administrator authentication restrictions.
Ivanti released a patch for the first zero-day on July 23 and another for the vulnerability on July 28. CISA added both flaws to its catalog of Known Exploited Vulnerabilities, giving federal civilian agencies until August 21 to apply patches.
CISA and NCSC-NO also urged agencies to use the advisory to search their systems for potential compromise and immediately report any issues.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
CISA noted that government-backed actors have been known to exploit previous MobileIron vulnerabilities and previously linked intrusions to Chinese state-sponsored hackers. “Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks,” the advisory says.
Ivanti chief security officer Daniel Spicer declined to comment on attribution or motivation. “What we can say is that threat actors continue to mature their tactics, balancing dogged persistence and patience with sophisticated use of exploits, tools and emerging technologies,” said Spicer.
In a now-public knowledge base article, the company notes “we are only aware of a very limited number of customers that have been impacted,” suggesting the list of victims extends beyond the Norwegian government.
According to Shodan, a search engine for publicly exposed devices, there are still more than 2,200 MobileIron portals exposed to the internet, the majority of which are located in the United States.
Updated with comment from Ivanti.
Ivanti rushes to patch zero-day used to breach Norway’s government
