Critical MobileIron RCE Flaw Under Active Attack

mobile device management security

Attackers are targeting the critical remote code-execution flaw to compromise systems in the healthcare, local government, logistics and legal sectors, among others.

Advanced persistent threat (APT) groups are actively exploiting a vulnerability in mobile device management security solutions from MobileIron, a new advisory warns.

The issue in question (CVE-2020-15505) is a remote code-execution flaw. It ranks 9.8 out of 10 on the CVSS severity scale, making it critical. The flaw was patched back in June, however, a proof of concept (PoC) exploit became available in September. Since then, both hostile state actors and cybercriminals have attempted to exploit the flaw in the U.K., according to a new advisory by the National Cyber Security Centre (NCSC).

“These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting,” said the NCSC in an advisory this week. “In some cases, when the latest updates are not installed, they have successfully compromised systems.”

The NCSC said that the healthcare, local government, logistics and legal sectors have all been targeted – but others could also be affected.

Separately, the Cybersecurity and Infrastructure Security Agency (CISA) in October warned that APT groups are exploiting the MobileIron flaw in combination with the severe Microsoft Windows Netlogon/Zerologon vulnerability (CVE-2020-1472).

The Flaw

The flaw, first reported to MobileIron by Orange Tsai from DEVCORE, could allow an attacker to execute remote exploits without authentication.

MobileIron provides a platform that allows enterprises to manage the end-user mobile devices across their company. The flaw exists across various components of this platform: In MobileIron Core, a component of the MobileIron platform that serves as the administrative console; and in MobileIron Connector, a component that adds real-time connectivity to the backend. Also impacted is Sentry, an in-line gateway that manages, encrypts and secures traffic between the mobile-device and back-end enterprise systems; and Monitor and Reporting Database, which provides comprehensive performance management functionality.

The bug affects Core and Connector versions and earlier,,,,,, and; and Sentry versions 9.7.2 and earlier, and 9.8.0; and Monitor and Reporting Database (RDB) version and earlier that allows remote attackers to execute arbitrary code via unspecified vectors.


MobileIron, for its part, said in an update this week that it has been engaging in “proactive outreach to help customers secure their systems,” and estimates that 90 to 95 percent of all devices are now managed on  patched/updated versions of software.

While the company said it will continue to follow up with the remaining customers where we can determine that they have not yet patched affected products, it strongly urges companies to make sure they are updated.

“MobileIron strongly recommends that customers apply these patches and any security updates as soon as possible,” said the company in its security update.

Threatpost has reached out to MobileIron for further comment.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles