CVE-2023-38035

CVE Database · CVE-2023-38035

CVE-2023-38035

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

99.95%

Published

Aug 21, 2023

Modified

Oct 31, 2025

CISA Known Exploited Vulnerability

Added: 2023-08-22 · Due: 2023-09-12

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (5)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoChorizon3ai/CVE-2023-38035★40 GitHub PoCLeakIX/sentryexploit★7 GitHub PoCmind2hex/CVE-2023-38035-MobileIron-RCE★1

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-863CWE-863

Affected Products (1)

ivanti · mobileiron_sentryvulnerable

References (5)

http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface

Vendor Advisory

http://packetstormsecurity.com/files/174643/Ivanti-Sentry-Authentication-Bypass-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38035

KEV Catalog EPSS Scores Vendors All CVEs