Critical Ivanti Cloud Service Appliance Flaw Exploited In The Wild

A critical path traversal vulnerability, recently discovered in Ivanti’s Cloud Service Appliance (CSA), is being actively exploited in the wild to grant access to restricted product functionalities. This is according to the security advisory Ivanti published earlier this week, in which it said it was “aware of a limited number of customers” who have been exploited by this vulnerability.

CSA is a gateway solution that allows secure communication between Ivanti software products (such as Ivanti Endpoint Manager) and devices outside the corporate network. It acts as a secure bridge for remote devices, enabling them to connect to internal services without the need for a VPN.

The bug is being tracked as CVE-2024-8963, and carries a severity score of 9.4. Ivanti says hackers can chain it to CVE-2024-8190, an OS command injection vulnerability, to bypass admin authentication and run arbitrary commands on the vulnerable endpoint.

End of life

The company did not say which companies were targeted, or by whom.

The bug was “incidentally addressed” as part of CSA 4.6 Patch 519, and CSA 5.0: “Ivanti is disclosing a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in the patch released on 10 September (CSA 4.6 Patch 519),” the company said. It stressed that CSA 4.6 is past its end-of-life date, and as such no longer receives patches for OS or third-party libraries.

“Additionally, with the end-of-life status the fix released on 10 September is the last fix Ivanti will backport to that version,” the company concluded. “Customers must upgrade to Ivanti CSA 5.0 for continued support. CSA 5.0 is the only supported version of the product and is not affected by this vulnerability.”

Since the bug is actively exploited, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog recently, forcing government agencies to patch up by October 10, The Hacker News found.

Via The Hacker News

What's Hot

You can save up to £120 on three of the best Bose headphones we’ve tested

Find a fulfilling career in health and social care at Hopwood Hall

Dancing with the Stars 2024 line-up: Full list of celebrities

Critical Ivanti Cloud Service Appliance flaw exploited in the wild

Is Chelsea v Aston Villa on TV tonight? Kick-off time, channel and how to watch WSL fixture

Audio and video calls on Discords are now end-to-end encrypted

Is Your Security Software Working? Here's How to Check

Who is Daniel Dubois? Anthony Joshua’s opponent and IBF heavyweight champion

Over 2 million VPN passwords have been stolen – here’s what you can do about it

Norton 360 Mobile Security Review: Good but Expensive

What's Hot

Critical Ivanti Cloud Service Appliance flaw exploited in the wild

End of life

More from TechRadar Pro

Related Posts