CVE Catalog

Actively exploited in the wild

Ivanti Sentry Authentication Bypass Vulnerability

Ivanti — Sentry · Listed in the CISA KEV since 2023-08-22. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2023-38035

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
99.95%

100th percentile — higher than 100% of all known CVEs

Summary

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

Risk Assessment

This vulnerability could lead to unauthorized access to the administrative interface, posing a serious threat to the organization's data security.

Recommendation

It is recommended to upgrade to the latest version of Ivanti MobileIron Sentry and review and strengthen the Apache HTTPD configuration to secure the administrative interface.

Original NVD description (English source)

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS