Kevin Beaumont
barunickWas in a meeting with our third party risk management team talking about #mobileirony
Audibly laughed when I saw @GossiTheDog ’s logo on the screen 😂
Patch numbers globally for #MobileIrony vuln are actually pretty good for a change.
CISA advisory says the zero day exploitation of #MobileIron was happening from "at least" April 2023 (which backs up from I wrote in my blog - i.e. I can see exploitation in logs going back to early this year).
Threat actors were uploading webshells and such. #threatintel #mobileirony
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-213a
The #MobileIrony API endpoint is now public knowledge - it’s /mifs/aad/
Yes, you just added to add ‘aad’ to access the admin API without auth and it’s been like that for years.
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-35078.yaml
KyanHexagonSeems that they mitigated this without upgrading somehow. Going to the vulnerable URI just gives an unauthorized error.
The number of people online who think the vulnerable API path for the #mobileirony 0-day is literally /vulnerable/path/api/v2/ is too damn high!
Arto HämäläinenThe MobileIron vuln is definitely do the rounds in security circles as my honeypot is getting probed, admin lists dumped and disclosures from researchers. #MobileIrony #threatintel
Anyone know what the vulnerable MobileIron api path is? I've got two clients with unpatched IronMobile endpoints and I want to show them impact. I know the regular path is /api/v2 and the vulnerable path has something prepended to that but haven't figured it out yet.