Cyber Defense Advisors

Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited

Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild.

The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said.

Successful exploitation of these vulnerabilities could allow an authenticated attacker with admin privileges to bypass restrictions, run arbitrary SQL statements, or obtain remote code execution.

“We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963,” the company said.

There is no evidence of exploitation against customer environments running CSA 5.0. A brief description of the three shortcomings is as follows –

CVE-2024-9379 (CVSS score: 6.5) – SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements
CVE-2024-9380 (CVSS score: 7.2) – An operating system (OS) command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution
CVE-2024-9381 (CVSS score: 7.2) – Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

The attacks observed by Ivanti involve combining the aforementioned flaws with CVE-2024-8963 (CVSS score: 9.4), a critical path traversal vulnerability that allows a remote unauthenticated attacker to access restricted functionality.

Ivanti said it discovered the three new flaws as part of its investigation into the exploitation of CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), another now-patched OS command injection bug in CSA that has also been abused in the wild.

Besides updating to the latest version (5.0.2), the company is recommending users to review the appliance for modified or newly added administrative users to look for signs of compromise, or check for alerts from endpoint detection and response (EDR) tools installed on the device.

The development comes less than a week after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Ivanti Endpoint Manager (EPM) that was fixed in May (CVE-2024-29824, CVSS score: 9.6) to the Known Exploited Vulnerabilities (KEV) catalog.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.