Ivanti Cloud Services Appliance Vulnerability Added to CISA’s Known Exploited Vulnerabilities Catalog
September 20, 2024
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, a path traversal issue identified as CVE-2024-8190, is found in the Ivanti Cloud Services Appliance and has a CVSS score of 9.4.
Ivanti has issued a warning about another vulnerability in its Cloud Services Appliance (CSA) that is being actively exploited. This vulnerability, tracked as CVE-2024-8963, also has a CVSS score of 9.4 and affects a limited number of customers. The vulnerability allows a remote unauthenticated attacker to access restricted functionality and, when combined with the CVE-2024-8190 flaw, can bypass admin authentication and execute arbitrary commands on the appliance.
In an advisory, Ivanti stated, “Ivanti is disclosing a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in the patch released on 10 September (CSA 4.6 Patch 519). Successful exploitation could allow a remote unauthenticated attacker to access restricted functionality.” The advisory further notes that “If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance.”
Ivanti has announced that CSA 4.6 is now End-of-Life and will no longer receive updates for OS or third-party libraries. To continue receiving support, customers must upgrade to Ivanti CSA 5.0, which is not affected by this vulnerability. The company confirmed that a limited number of customers have been exploited by this vulnerability.
The vulnerability was discovered during an investigation into an exploitation that Ivanti disclosed on September 13. The advisory notes, “The vulnerability was discovered as we were investigating the exploitation that Ivanti disclosed on 13 September.” It was found that the issue had been incidentally addressed with some of the functionality removal included in patch 519.
According to Binding Operational Directive (BOD) 22-01, federal agencies are required to address identified vulnerabilities by a specified due date to protect their networks against attacks exploiting these flaws. Private organizations are also advised to review the Catalog and address any vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix this vulnerability by October 10, 2024.
On September 13, 2024, CISA added another Ivanti Cloud Services Appliance OS Command Injection Vulnerability, tracked as CVE-2024-8190 with a CVSS score of 7.2, to its Known Exploited Vulnerabilities (KEV) catalog.
Related News
- Critical CSA Vulnerability Exploited in Attacks: Ivanti Issues Warning
- Urgent Call to Patch: Exploit Code for Critical Ivanti RCE Vulnerability Released
- Ivanti Alert: High Severity CSA Vulnerability Now Actively Exploited
Latest News
- Iranian APT UNC1860, Linked to MOIS, Plays Key Role in Cyber Intrusions in Middle East
- Critical CSA Vulnerability Exploited in Attacks: Ivanti Issues Warning
- GitLab Issues Security Updates for Critical SAML Authentication Bypass Vulnerability
- Zero-Click Vulnerabilities in macOS Calendar Risk iCloud Data Exposure
- Critical Remote Code Execution Vulnerability in VMware vCenter Server Patched by Broadcom
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.