The UK's National Cyber Security Centre has issued an alert on the MobileIron remote code execution vulnerability. According to the alert, APT nation state groups and cybercriminals are exploiting this vulnerability to compromise the networks of UK organizations.

In June 2020 MobileIron, a provider of mobile device management (MDM) systems, released security updates to address several vulnerabilities in their products. This included CVE-2020-15505, a remote code execution vulnerability, rated critical. MDM systems allow system administrators to manage an organization’s mobile devices from a central server, making them a valuable target for threat actors.

The NCSC is aware that Advanced Persistent Threat (APT) nation-state groups and cybercriminals are now actively attempting to exploit this vulnerability [T1190] to compromise the networks of UK organizations.

The Cybersecurity and Infrastructure Agency (CISA) in the US has also noted that APTs are exploiting this vulnerability in combination with the Netlogon/Zerologon vulnerability CVE-2020-1472 in a single intrusion.

This critical vulnerability affects MobileIron Core and Connector products and could allow a remote attacker to execute arbitrary code on a system. The MobileIron website lists the following versions as affected:

• 10.3.0.3 and earlier
• 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0
• Sentry versions 9.7.2 and earlier
• 9.8.0
• Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier

A proof of concept exploit became available in September 2020 and since then both hostile state actors and cybercriminals have attempted to exploit this vulnerability in the UK. These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting (T1505.002). In some cases, when the latest updates are not installed, they have successfully compromised systems. The healthcare, local government, logistics and legal sectors have all been targeted but others could also be affected. 

Tom Davison, Technical Director – International at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes, "The interesting story here is the assertion by cybersecurity agencies in the UK (NCSC) and the US (NSA) that nation state APT groups are actively exploiting these vulnerabilities, five full months after patches were issued.  Mobile Device Management servers are by definition reachable from the public internet making them opportune targets. Offering a gateway to potentially compromise every mobile device in the organization, the attraction to attackers is clear.  This highlights not just the importance of patching open vulnerabilities, but also the criticality of having a dedicated mobile security capability that is distinct from device management infrastructure."