← Back to CVEs
CVE-2023-38035
CRITICALCISA KEV9.8
Description
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published8/21/2023
Last Modified10/31/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorIvanti
ProductSentry
Vulnerability NameIvanti Sentry Authentication Bypass Vulnerability
KEV Date Added2023-08-22
Remediation Due Date2023-09-12
Ransomware UseKnown
Affected Products
ivanti:mobileiron_sentry
Weaknesses (CWE)
CWE-863CWE-863
References
http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html(support@hackerone.com)
https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface(support@hackerone.com)
http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38035(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.