In a recent announcement on September 19, Ivanti revealed that a critical vulnerability in their Cloud Services Appliance (CSA) was being actively exploited in the wild, just days after patching a previous flaw. The vulnerability, known as CVE-2024-8963 with a CVSS score of 9.4, is a path traversal issue that allows remote, unauthenticated attackers to access restricted functionalities within Ivanti CSA. This vulnerability has been combined with another previously disclosed flaw, CVE-2024-8190, which is an OS command injection vulnerability that could potentially grant unauthorized access to devices. When chained together, these vulnerabilities can be leveraged for remote code execution if the attacker possesses admin-level privileges.
According to reports, the exploitation of CVE-2024-8963 in conjunction with CVE-2024-8190 enables attackers to bypass admin authentication and execute arbitrary commands on the affected appliance. This alarming development marks another chapter in the ongoing series of security challenges that Ivanti has been grappling with since 2023.
The troubles for Ivanti seem to have started earlier this year when the Cybersecurity and Infrastructure Security Agency (CISA) issued a directive in February for Ivanti VPN appliances to be disconnected, rebuilt, and reconfigured within 48 hours due to concerns about multiple threat actors exploiting security flaws in the systems. Subsequently, in April, foreign nation-state hackers targeted vulnerable Ivanti gateway devices and launched an attack on MITRE, ending its 15-year streak of being incident-free. Not stopping there, thousands of Ivanti VPN instances were compromised due to two unpatched zero-day vulnerabilities. The month of August saw Ivanti’s Virtual Traffic Manager (vTM) being plagued by a critical vulnerability that could have facilitated unauthorized admin access.
Greg Fitzgerald, co-founder of Sevco Security, weighed in on the situation, highlighting that unpatched vulnerabilities have become an attractive target for attackers due to their ease of exploitation, coupled with the fact that organizations may be unaware of the presence of devices with end-of-life systems still running on their networks.
In response to the latest threat, Ivanti has recommended that its customers upgrade Ivanti CSA 4.6 to CSA 5.0 or apply Patch 519 to CSA 4.6 if they are unable to upgrade to the latest version. Furthermore, customers are advised to ensure dual-homed CSA configurations with eth0 designated as the internal network, review the CSA for any unauthorized modifications or newly added administrators, and monitor alerts provided by endpoint detection and response (EDR) solutions for any suspicious activity.
For assistance or further inquiries, users can reach out to Ivanti through their Success Portal to log a case or request a call for support. As the cybersecurity landscape continues to evolve, proactive measures like these are crucial in safeguarding against potential threats and maintaining the resilience of critical systems and networks.
Croatian 
English 
Albanian 
Serbian 