CISA Alerts on Ivanti Vulnerabilities Exploited in Cyber Attacks

January 23, 2025

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a warning about threat actors exploiting a series of vulnerabilities in Ivanti's Cloud Service Appliance (CSA). These vulnerabilities are being used to gain initial access, snatch credentials, and install harmful scripts on users' devices.

The new threat vector utilized by cyber attackers involves several Ivanti vulnerabilities, which are being exploited to undermine the company's CSA. The identified vulnerabilities include CVE-2024-8963, an admin bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, both of which are remote code execution (RCE) vulnerabilities.

CISA, utilizing third-party incident-response data, discovered that threat actors are using these bugs by linking them together to gain initial access. This allows them to carry out remote code execution (RCE), obtain credentials, and install Web shells on victim networks. "All four vulnerabilities affect Ivanti CSA version 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below; according to Ivanti, these CVEs have not been exploited in version 5.0," CISA mentioned in the advisory.

To counter these threats, both organizations advise network administrators to upgrade to the most recent supported version of Ivanti CSA. They also recommend using detection methods and the indicators of compromise (IoCs) provided in the CISA advisory to search for malicious activity on their networks. If organizations detect a compromise, it is suggested to isolate or take offline potentially affected hosts and reimage them. Admins are also advised to provide new account credentials, collect and review artifacts, and report the compromise to CISA.

Furthermore, it's recommended to exercise, test, and validate a security program against threat actors listed in the MITRE ATT&CK for Enterprise framework.

Related News

• Ivanti Addresses Critical Vulnerabilities in its Cloud Services Appliance Solution
• Nation-State Threat Actors Exploit Ivanti CSA Zero-Day Vulnerabilities
• CISA Updates Known Exploited Vulnerabilities Catalog with Ivanti CSA and Fortinet Products Bugs
• Ivanti Alerts on Three New Actively Exploited CSA Zero-Days
• Ivanti Cloud Services Appliance Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Apple Patches First Actively Exploited Zero-Day Vulnerability of the Year
• 15,000 Fortinet Device Configurations Leaked on Dark Web: Old Data, New Threats?