The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have collaboratively issued a Cybersecurity Advisory addressing the active exploitation of critical vulnerabilities in Ivanti Cloud Service Appliances (CSA). These vulnerabilities—CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380—were exploited in September 2024 by threat actors to compromise victim networks.
The vulnerabilities being exploited encompass a range of security issues within Ivanti CSA, including administrative bypass, OS command injection, SQL injection, and command injection vulnerabilities. Threat actors successfully exploited these vulnerabilities to gain unauthorized access, execute arbitrary commands, run malicious SQL statements, and achieve remote code execution on victim networks.
Two primary exploit chains were identified, with one combination exploiting CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380, and the other combining CVE-2024-8963 with CVE-2024-9379. These exploitations enabled threat actors to establish initial access, achieve remote code execution, steal credentials, and implant malicious webshells within compromised networks.
Affected versions of the Ivanti CSA include 4.6x versions prior to build 519, with additional impact on version 5.0.1 and below for certain CVEs. Notably, Ivanti CSA 4.6 has reached end-of-life and no longer receives security patches or updates, emphasizing the importance of upgrading to supported versions to mitigate these risks effectively.
Incident response findings from CISA and third-party responders highlighted instances of credential theft, lateral movement within compromised networks, webshell implantation for persistent access, and successful detection and mitigation of anomalous activity by organizations.
Victim organizations shared their incident response experiences, including early detection of suspicious account creation, leveraging endpoint protection platforms for alerting, and utilizing indicators of compromise from other victims for threat identification and response.
To counter the Ivanti CSA vulnerabilities, CISA and the FBI recommend immediate software upgrades, deployment of Endpoint Detection and Response (EDR) solutions, detailed logging of network activity, and timely patch management to minimize exposure and mitigate risks effectively.
The advisory aligns with the MITRE ATT&CK® Matrix framework, detailing threat actors’ activities and tactics such as initial access, credential dumping, and remote command execution. Organizations are urged to consider credentials and sensitive data within compromised Ivanti appliances at risk and to analyze logs for signs of malicious activity promptly.
Network administrators and security professionals are encouraged to refer to CISA’s Known Exploited Vulnerabilities Catalog for awareness of actively exploited vulnerabilities and emerging threats. The advisory underscores the critical importance of maintaining updated software, prompt vulnerability patching, and robust security practices for defending against cyber threats effectively, particularly for organizations reliant on Ivanti CSA.