Ivanti has issued a warning about the active exploitation of three newly discovered security vulnerabilities affecting its Cloud Service Appliance (CSA). These zero-day vulnerabilities are being leveraged in combination with a previously patched flaw, making them particularly dangerous.
The Utah-based software provider explained that these vulnerabilities, if exploited successfully, could allow an attacker with admin privileges to bypass restrictions, execute arbitrary SQL statements, or even achieve remote code execution.
"We are aware of a limited number of customers running CSA 4.6 patch 518 and earlier versions who have been exploited by chaining CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 with CVE-2024-8963," Ivanti stated. However, there is no evidence that customer environments running CSA version 5.0 have been affected.
Here is a brief summary of the vulnerabilities:
- CVE-2024-9379 (CVSS score: 6.5): A SQL injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2. It allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
- CVE-2024-9380 (CVSS score: 7.2): An OS command injection flaw in the admin web console of Ivanti CSA before version 5.0.2. It allows an attacker with admin privileges to execute remote code.
- CVE-2024-9381 (CVSS score: 7.2): A path traversal vulnerability in Ivanti CSA before version 5.0.2. It allows an attacker to bypass security restrictions.
These vulnerabilities have been combined with CVE-2024-8963 (CVSS score: 9.4), a critical path traversal issue that permits a remote unauthenticated attacker to access restricted functionality.
Ivanti uncovered these three new vulnerabilities while investigating the exploitation of CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), another OS command injection bug that has already been exploited in the wild.
To mitigate the risk, Ivanti recommends that users update their systems to the latest version (5.0.2). In addition, users should check the appliance for modified or newly added administrative users and look for any signs of compromise. Endpoint Detection and Response (EDR) tools installed on the device should also be checked for alerts.
This development follows the U.S. Cybersecurity and Infrastructure Security Agency (CISA)'s recent addition of a separate Ivanti Endpoint Manager (EPM) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, CVE-2024-29824 (CVSS score: 9.6), was fixed in May but remains a significant threat.