Ivanti Cloud Services Appliance Vulnerability Added to CISA’s Known Exploited Vulnerabilities Catalog

September 20, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, a path traversal issue identified as CVE-2024-8190, is found in the Ivanti Cloud Services Appliance and has a CVSS score of 9.4.

Ivanti has issued a warning about another vulnerability in its Cloud Services Appliance (CSA) that is being actively exploited. This vulnerability, tracked as CVE-2024-8963, also has a CVSS score of 9.4 and affects a limited number of customers. The vulnerability allows a remote unauthenticated attacker to access restricted functionality and, when combined with the CVE-2024-8190 flaw, can bypass admin authentication and execute arbitrary commands on the appliance.

In an advisory, Ivanti stated, “Ivanti is disclosing a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in the patch released on 10 September (CSA 4.6 Patch 519). Successful exploitation could allow a remote unauthenticated attacker to access restricted functionality.” The advisory further notes that “If CVE-2024-8963 is used in conjunction with CVE-2024-8190 an attacker can bypass admin authentication and execute arbitrary commands on the appliance.”

Ivanti has announced that CSA 4.6 is now End-of-Life and will no longer receive updates for OS or third-party libraries. To continue receiving support, customers must upgrade to Ivanti CSA 5.0, which is not affected by this vulnerability. The company confirmed that a limited number of customers have been exploited by this vulnerability.

The vulnerability was discovered during an investigation into an exploitation that Ivanti disclosed on September 13. The advisory notes, “The vulnerability was discovered as we were investigating the exploitation that Ivanti disclosed on 13 September.” It was found that the issue had been incidentally addressed with some of the functionality removal included in patch 519.

According to Binding Operational Directive (BOD) 22-01, federal agencies are required to address identified vulnerabilities by a specified due date to protect their networks against attacks exploiting these flaws. Private organizations are also advised to review the Catalog and address any vulnerabilities in their infrastructure. CISA has ordered federal agencies to fix this vulnerability by October 10, 2024.

On September 13, 2024, CISA added another Ivanti Cloud Services Appliance OS Command Injection Vulnerability, tracked as CVE-2024-8190 with a CVSS score of 7.2, to its Known Exploited Vulnerabilities (KEV) catalog.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.