Ivanti, a software company, has reported that a limited number of its Cloud Service Application customers have fallen victim to cyber attacks through exploit chains containing new zero-day vulnerabilities. In a blog post published on Tuesday, the company stated that customers running CSA 4.6 patch 518 and earlier versions have been exploited when specific vulnerabilities are chained together.
The main vulnerability at the center of these attacks, CVE-2024-8963, was first revealed on September 19. This critical path traversal vulnerability allows remote unauthenticated attackers to access restricted functionality. Although Ivanti released a patch for this vulnerability on September 10, it declared that CSA 4.6 is now considered end-of-life, prompting customers to upgrade to Ivanti CSA 5.0 for ongoing support.
In addition to CVE-2024-8963, three other vulnerabilities were disclosed on October 8, affecting CSA 5.0.1 and earlier versions. These vulnerabilities include a medium-severity SQL injection flaw, a high-severity OS command injection flaw, and a high-severity path traversal flaw. These vulnerabilities allow remote attackers with admin privileges to carry out various malicious activities.
Ivanti has confirmed that only users with CSA versions 4.6 patch 518 and earlier have been targeted in these attacks. The company’s recommended mitigation strategy is for users to upgrade to CSA 5.0.2. However, when asked if Ivanti plans to provide an additional patch for 4.6 users, the company did not respond at the time of press.
These recent vulnerabilities are part of a series of serious security flaws affecting Ivanti products in recent weeks. In the previous month, CISA included a critical severity authentication bypass flaw in Ivanti’s Virtual Traffic Manager in its Known Exploited Vulnerabilities catalog. Notably, the CVE-2024-8963 vulnerability originated from another high-severity flaw in CSA, CVE-2024-8190, which has also been exploited in attacks.
Looking back further, in January, CISA highlighted two zero-day vulnerabilities in Ivanti products that were under attack by a Chinese nation-state threat actor. These vulnerabilities were confirmed to be under widespread exploitation by entities such as Veloxity. Moreover, R&D firm Mitre disclosed in April that it had been breached by an unnamed nation-state actor through these same vulnerabilities.
In conclusion, Ivanti continues to grapple with security vulnerabilities in its products, necessitating prompt updates and mitigation strategies for affected customers. As cyber threats evolve, companies must remain vigilant in addressing and remedying vulnerabilities to safeguard their systems and data from malicious actors.