NCSC urges firms to patch against MobileIron vulnerability
Remote attackers are targeting healthcare, logistics, legal, and local government sectors
Organisations using the California-based enterprise mobile device management (MDM) provider's software could be targeted by Advanced Persistent Threat (APT) nation-state groups looking to exploit a critical remote code execution vulnerability, according to the NCSC.
The flaw, tracked as CVE-2020-15505, affects MobileIron Core and Connector products, specifically the following models: 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, 10.6.0.0, 10.3.0.3 and earlier, Sentry versions 9.8.0, 9.7.2 and earlier, as well as the Monitor and Reporting Database (RDB) version 22.214.171.124 and earlier.
The issue reportedly stems back to June 2020, when MobileIron released security updates to address several vulnerabilities in their products. However, users who had not applied the patches have since been the target of cyber attacks.
According to the NCSC, hostile state actors and cyber criminals have attempted to exploit the vulnerability since the publication of a proof of concept exploit became available in September 2020. The security organisation warned that remote attackers were already able to take advantage of the flaw by targeting healthcare, logistics, legal, and local government sectors.
The NCSC strongly advised UK organisations to refer to the MobileIron guidance, keeping informed of any future updates, as well as ensure that all affected versions have had the necessary updates installed.
IT Pro has contacted MobileIron for comment but the company has yet to respond. In an update published last month, the MDM provider said that it had “engaged in ongoing proactive outreach to help customers secure their systems”.
“That outreach has included calls from our account teams, regular targeted emails, and in-product notices. We currently estimate that between 90%-95% of all devices are now managed on patched/updated versions of our software. We continue to follow up with the remaining customers where we can determine that they have not yet patched or upgraded affected products,” it stated.