Threat Watch

MobileIron Remote Code Execution Vulnerability

Discovered and responsibly disclosed in March, researcher Orange Tsai found a Remote Code Execution (RCE) vulnerability in the MobileIron Mobile Device management (MDM) systems. MDM systems allow administrators to remotely control mobile devices in their organization. This management is done from a central location and the portal is usually hosted on one of the company’s servers. The vulnerability, CVE-2020-1550, allows an attacker to remotely execute commands on an MDM server without having to authenticate. The UK National Cyber Security Centre (NCSC) has warned that they have seen Advanced Persistent Threat (APT) groups actively targeting companies using this vulnerability and urges companies to apply the patch if they have not. The US Cybersecurity and Infrastructure Agency (CISA) has also warned about these attacks and stated that this CVE is amongst the top 25 that are actively being used by Chinese threat actors.


A patch for this vulnerability was released in June before the proof-of-concept was released by the researcher. The proof-of-concept explained that MDM servers need to be publicly accessible to remotely manage mobile devices. This alone makes them a potential target for threat actors. Keeping up to date with security patches, especially on public-facing servers, is the first line of defense. Utilizing a service such as Binary Defense’s 24 hour a day, 7 day a week Managed Detection and Response or SIEM monitoring to monitor endpoints, including servers, for abnormal behavior is a great resource in defending against advanced threat actors who make it past the outer layers of security controls.
MobileIron versions vulnerable to CVE-2020-15505 are:
• and earlier
•,,,,, and
• Sentry versions 9.7.2 and earlier
• 9.8.0
• Monitor and Reporting Database (RDB) version and earlier

More can be read here:

The advisory from MobileIron can be found here: