A vulnerability was discovered in Ivanti Endpoint Manager Mobile (EPMM, previously branded MobileIron Core) allows unauthenticated access to specific API paths. An attacker with access to these API paths can access personally identifiable information (PII), such as names, phone numbers, and other mobile device details. They can also make other configuration changes, including creating an EPMM administrative account that can make further changes to a vulnerable system.
Ivanti reports that they have received information from a credible source indicating active exploitation of this vulnerability.
This vulnerability affects supported EPMM versions 11.10, 11.9, and 11.8. Older, unsupported versions are also affected.
See the resource center.