Ivanti CSA Hit with Three New Zero-Day Vulnerabilities in Active Exploitation

Ivanti recently disclosed three newly identified zero-day vulnerabilities in its Cloud Services Appliance (CSA), all of which are actively exploited in the wild. These vulnerabilities, tracked as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381, allow attackers to chain them with a previously patched vulnerability (CVE-2024-8963) to perform a range of unauthorised actions, from SQL injections to remote code execution. This exploitation of Ivanti CSA poses a considerable threat, particularly to enterprises that have not yet upgraded to the latest patched versions.

Detailed Analysis of the New Zero-Days

1. CVE-2024-9379 – SQL Injection Vulnerability

  • Description: This SQL injection flaw enables an attacker with administrative privileges to inject and execute arbitrary SQL commands within the database. By exploiting this flaw, attackers can access and manipulate data on the CSA’s underlying database, potentially compromising sensitive information.
  • Impact: Successful exploitation allows for unauthorised database manipulation, which could lead to information leakage or data alteration. Given that this vulnerability requires administrative access, it may also be used as part of a broader exploitation chain.

2. CVE-2024-9380 – OS Command Injection

  • Description: This vulnerability allows an attacker with admin-level access to inject OS commands remotely. By exploiting this command injection flaw, attackers can gain control over the host’s operating system, thereby facilitating arbitrary code execution.
  • Impact: This presents a serious risk, as attackers can leverage this vulnerability to execute any command on the host, leading to a potential full system compromise. Remote code execution flaws of this nature are critical, particularly for systems that provide access to internal network resources.

3. CVE-2024-9381 – Path Traversal

  • Description: This path traversal vulnerability allows attackers to bypass security restrictions and access files and directories that should otherwise be off-limits, even with authenticated access. Using this flaw, attackers could potentially read sensitive configuration files or exfiltrate data.
  • Impact: This flaw could facilitate lateral movement within the environment, especially if the CSA is used to secure access to other internal resources.

These vulnerabilities, collectively, affect all Ivanti CSA versions up to 5.0.1. Ivanti urges customers on versions 4.6 (now end-of-life) to immediately upgrade to CSA version 5.0.2, which includes patches for these and other flaws.

Active Exploitation and Recommended Actions

Ivanti has observed that attackers are actively chaining these new vulnerabilities with CVE-2024-8963 — a previously reported path traversal vulnerability — to enable further exploitation. By using CVE-2024-8963 as a bypass mechanism, attackers gain unauthorised access, enabling a wide range of malicious activities across vulnerable CSA implementations.

Recommended Mitigation Strategies:

  • Immediate Patching: Upgrade CSA systems to version 5.0.2 to ensure that the most recent security patches are applied. Given that CSA 4.6 has reached end-of-life, organisations still using it are particularly vulnerable and should prioritise updating to a supported version.
  • Monitoring and Detection: Ivanti advises administrators to monitor for unusual patterns in administrative logs, such as changes to admin accounts or unexpected file access. Endpoint detection and response (EDR) solutions can also help detect anomalies and provide alerts on potential indicators of compromise.
  • Rebuild Compromised Systems: For organisations that suspect their CSA environments have been compromised, Ivanti recommends rebuilding the appliance with the latest software version to ensure a clean environment.

Historical Context and Previous Exploitations

Ivanti CSA has been under increasing scrutiny due to repeated vulnerabilities in its platform. Earlier this year, Ivanti patched CVE-2024-8190, a severe command injection flaw that attackers were using in conjunction with CVE-2024-8963 to bypass authentication and execute arbitrary commands. These vulnerabilities, along with the newly disclosed zero-days, highlight a worrying trend of sustained exploitation targeting Ivanti products.

Other Noteworthy Ivanti Vulnerabilities:

  • CVE-2024-8190: An OS command injection vulnerability that allowed remote code execution, patched in September 2024.
  • CVE-2024-7593: An authentication bypass in Ivanti’s Virtual Traffic Manager, actively exploited earlier this year, underscoring the broad target profile of Ivanti products.

These repeated exploitations demonstrate a persistent effort by threat actors to target Ivanti’s security solutions, especially those widely deployed in critical infrastructure and enterprise environments. Links to further details on these vulnerabilities can be found on Threat Intel Report.

The repeated targeting of Ivanti CSA, compounded by the frequent discovery of new zero-day vulnerabilities, poses a significant threat to organisations using these services to secure their networks. Ivanti’s recommendation to upgrade immediately to the patched CSA version 5.0.2 is critical for maintaining the security of affected systems. In the interim, enhanced monitoring and incident response measures are advisable to detect and mitigate potential compromises.


Further Reading