MobileIrony backdoor allows complete takeover of mobile security product and endpoints.

**Executive summary:** The report describes a critical unauthenticated API flaw (CVE-2023-35078, "MobileIrony") in Ivanti MobileIron/EPMM that allows any remote actor to perform administrative API actions (including creating admin accounts, querying LDAP, enumerating users and devices, deploying software, locking/wiping devices) without credentials; it has been exploited in the wild against government targets and warrants immediate patching and urgent customer notification.