CISA & Ivanti Warn of Active Exploitation Cloud Services Appliance Flaw CVE-2024-8190

by do son · September 13, 2024

A high-severity vulnerability (CVE-2024-8190) in Ivanti Cloud Services Appliance (CSA) is under active exploitation, prompting an urgent directive from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, classified as an OS command injection flaw, permits remote code execution for attackers with administrative privileges.

CVE-2024-8190 is an OS command injection vulnerability in Ivanti CSA, a critical component in secure remote access infrastructure. The vulnerability enables attackers, once authenticated with admin-level privileges, to execute arbitrary commands on the system. Given that Ivanti CSA is often deployed to secure remote connections for corporate networks, this flaw opens the door to a wide range of potential threats, including full system compromise, data exfiltration, and lateral movement within affected networks.

While the precise exploitation methods remain undisclosed, Ivanti has confirmed that a limited number of customers have fallen victim to attacks leveraging this vulnerability.

“Following public disclosure, Ivanti has confirmed exploitation of this vulnerability in the wild. At the time of this update, we are aware of a limited number of customers who have been exploited,” wrote the company.

The addition of CVE-2024-8190 to CISA’s Known Exploited Vulnerabilities (KEV) catalog underscores the gravity of the situation. Federal agencies are now mandated to implement remedial measures by October 4, 2024, to safeguard their networks.

The primary issue resides within Ivanti CSA version 4.6, a product that has reached End-of-Life. Organizations are strongly advised to upgrade to CSA 5.0 to ensure comprehensive protection. Alternatively, customers on CSA 4.6 Patch 518 can apply Patch 519 as an interim measure. However, migrating to CSA 5.0 is the recommended course of action for sustained security.