
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint Cybersecurity Advisory to address active exploitation of multiple vulnerabilities in Ivanti Cloud Service Appliances (CSA). These vulnerabilities, tracked as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, pose significant risks, including administrative bypass, SQL injection, and remote code execution (RCE).
The advisory highlights that threat actors have actively chained these vulnerabilities to gain initial access, execute arbitrary commands, and implant webshells for persistence on victim networks. CISA and the FBI explained, “One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379.”
Details of the key vulnerabilities include:
- CVE-2024-8963: An administrative bypass flaw that allows attackers to access restricted features remotely.
- CVE-2024-9379: A SQL injection vulnerability enabling attackers with admin privileges to execute arbitrary SQL commands.
- CVE-2024-8190 and CVE-2024-9380: Command injection flaws leading to RCE, potentially granting attackers control over compromised systems.
All four vulnerabilities affect Ivanti CSA 4.6x versions before 519, while CVE-2024-9379 and CVE-2024-9380 also impact CSA 5.0.1 and earlier versions. Notably, Ivanti CSA 4.6 has reached its End-of-Life (EOL) and no longer receives security updates.
According to the advisory, threat actors exploited these vulnerabilities in September 2024, targeting unpatched Ivanti CSA appliances. The attacks involved lateral movement, credential theft, and persistence mechanisms like webshells. One observed exploit chain saw attackers using a base64-encoded Python script to harvest admin credentials, while another involved SQL injection to manipulate user accounts. In some cases, attackers created reverse command-and-control (C2) channels to maintain access.
The advisory notes, “Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised,” urging organizations to review and reset exposed credentials.
CISA and the FBI recommend organizations take the following steps to secure their environments:
- Upgrade to Supported Versions: Update to the latest Ivanti CSA versions immediately, as “Ivanti CSA 4.6 is EOL and no longer receives patches or third-party libraries.”
- Endpoint Detection and Response (EDR): Install EDR solutions to detect and block anomalous or malicious activities.
- Log Monitoring: Establish baselines for network traffic and maintain detailed logs to identify unusual activity.
- Phishing-Resistant MFA: Enforce multi-factor authentication to prevent unauthorized access.
- Timely Patching: Apply patches within 24-48 hours of vulnerability disclosures to minimize risk exposure.
For further details, technical recommendations and IoCs, visit the official CISA advisory.
Related Posts:
- CVE-2025-20156 (CVSS 9.9): Cisco Meeting Management Flaw Allows for Privilege Escalation
- Purrglar: Emerging Stealer Targets Chrome and Exodus Wallet Data on macOS
- Signal and Discord Vulnerabilities Exposed: 0-Click Deanonymization Attack Revealed