What vulnerabilities were discovered in Ivanti CSA?

CISA and FBI identified four critical vulnerabilities: CVE-2024-8963 (CVSS 9.1) for Path Traversal, CVE-2024-9379 (CVSS 7.2) for SQL Injection, and CVE-2024-8190 and CVE-2024-9380 (CVSS 7.2) for Remote Code Execution.

What exploit chains did threat actors use?

Attackers used two main exploit chains: CVE-2024-8963 combined with CVE-2024-8190 and CVE-2024-9380, or CVE-2024-8963 combined with CVE-2024-9379.

Which versions are affected?

Affected versions include Ivanti CSA version 4.6x versions before 519 and CSA versions 5.0.1 and below (for CVE-2024-9379 and CVE-2024-9380 only).

What impact did these vulnerabilities have?

Three organizations were compromised. Attackers gained initial access, executed remote code, obtained credentials, and implanted webshells. In one case, lateral movement to two additional servers occurred. All organizations remediated by replacing virtual machines.

What are the recommended security measures?

Organizations should upgrade to the latest Ivanti CSA version, install EDR systems, establish network traffic monitoring, implement timely patching, and consider all credentials and sensitive data in affected appliances as compromised.

Knowledge

CISA and FBI release detailed exploit chain of flaws in Ivanti Cloud Service Applications

published: Jan. 22, 2025

Take action: If you are running Ivanti CSA, be very concerned that it can be compromised. Check the advisory to see if you are running a vulnerable version - you may be already hacked. Update to latest supported version, monitor endpoints and traffic. If you suspect being compromised, consider all CSA credentials and sensitive data stored in CSA as compromised.

Learn More

In September 2024, CISA and FBI identified a series of critical vulnerabilities in Ivanti Cloud Service Appliances (CSA) that were actively exploited by threat actors. The vulnerabilities include:

CVE-2024-8963 (CVSS score 9.1) - Path Traversal, allowing remote access to restricted features within the appliance
CVE-2024-9379 (CVSS score 7.2) - SQL Injection Vulnerability, enables remote authenticated attackers with admin privileges to run arbitrary SQL statements
CVE-2024-8190 and CVE-2024-9380 (CVSS score ) - Remote Code Execution Vulnerabilities, permitting remote authenticated attackers to execute arbitrary commands

The threat actors employed two primary exploit chains:

CVE-2024-8963 combined with CVE-2024-8190 and CVE-2024-9380
CVE-2024-8963 combined with CVE-2024-9379

Affected Versions:

Ivanti CSA version 4.6x versions before 519 and CSA versions 5.0.1 and below (for CVE-2024-9379 and CVE-2024-9380 only)

Three victim organizations were identified, with varying levels of compromise:

First organization detected anomalous user account creation early and remediated quickly
Second organization's endpoint protection platform detected malicious webshell creation attempts
Third organization used IOC findings from other victims to quickly detect and stop malicious activity

Threat actors successfully gained initial access, executed remote code, obtained credentials, and implanted webshells. In one confirmed case, lateral movement to two additional servers was observed. All three organizations remediated by replacing virtual machines with clean, upgraded versions.

CISA and FBI recommend considering all credentials and sensitive data stored within affected Ivanti appliances as compromised.

Organizations are advised to immediately upgrade to the latest supported version of Ivanti CSA, install endpoint detection and response (EDR) systems, establish monitoring and safe baseline for network traffic and timely patching of vulnerabilities.

CISA and FBI release detailed exploit chain of flaws in Ivanti Cloud Service Applications

Read More
LeftoverLocals vulnerability leak LLM responses to other users …
Binarly warns of vulnerability allowing hackers with physical …
State of (in)security - Week 48, 2023
State of (in)security - Week 47, 2024
State of (in)security - Week 38, 2023