UK government security experts are urging organizations to rapidly patch a remote code execution flaw in MobileIron products being actively exploited in the wild by nation state groups.
The notice from GCHQ’s National Cyber Security Centre (NCSC) explained that CVE-2020-15505, which affects the mobile device management company’s MobileIron Core and Connector products, could allow a remote attacker to execute arbitrary code on a system.
It also noted that the US Cybersecurity and Infrastructure Security Agency (CISA) pointed out in October that the vulnerability was being chained with the Zerologon bug CVE-2020-1472 in attacks.
Although the identity of the nation state actors was not disclosed, the vulnerability was recently featured on the NSA’s Top 25 list of the most exploited bugs by Chinese attackers.
“A proof of concept exploit became available in September 2020 and since then both hostile state actors and cyber-criminals have attempted to exploit this vulnerability in the UK,” noted the NCSC alert.
“These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting (T1505.002). In some cases, when the latest updates are not installed, they have successfully compromised systems. The healthcare, local government, logistics and legal sectors have all been targeted but others could also be affected.”
A patch has been available since June, and the NCSC urged any affected organizations to apply it immediately. Those running vulnerable systems should also undertake regular network scans and audits to identify suspicious activity in case they have already been breached, it added.
“Mobile device management servers are by definition reachable from the public internet making them opportune targets. Offering a gateway to potentially compromise every mobile device in the organization, the attraction to attackers is clear,” argued Tom Davison, international technical director of Lookout.
“This highlights not just the importance of patching open vulnerabilities, but also the criticality of having a dedicated mobile security capability that is distinct from device management infrastructure.”