Ivanti has disclosed that a critical vulnerability impacting its Cloud Service Appliance (CSA) is being actively exploited in the wild. The security flaw, identified as CVE-2024-8963, carries a CVSS score of 9.4 out of 10, reflecting its high severity. According to Ivanti, this vulnerability was "incidentally addressed" in the release of CSA 4.6 Patch 519 and CSA 5.0.
The vulnerability is a path traversal flaw, which allows remote, unauthenticated attackers to access restricted functions on the CSA. This could give attackers the ability to manipulate or retrieve sensitive data from compromised systems. Ivanti also highlighted that this flaw can be combined with CVE-2024-8190 (CVSS score: 7.2), a vulnerability that permits attackers to bypass admin authentication and execute arbitrary commands.
The combination of these two vulnerabilities poses a significant risk, allowing threat actors to gain full control over vulnerable devices. Ivanti has acknowledged that some customers have already been exploited through this vulnerability, just days after reporting exploitation attempts related to CVE-2024-8190.
This series of events prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the necessary fixes by October 10, 2024.
Given the severity of this vulnerability, Ivanti strongly recommends users update their CSA installations to version 5.0 as soon as possible. It’s important to note that CSA version 4.6 is no longer supported, making any system running this version particularly vulnerable to future exploits.