Critical Flaw in Ivanti CSA 4.6: CVE-2024-8963 Actively Exploited, Urgent Upgrade Required

by do son · September 19, 2024

Ivanti, a leader in enterprise software, has disclosed a critical vulnerability in its Ivanti Connect Secure Appliance (CSA) 4.6, identified as CVE-2024-8963. This vulnerability, rated at a CVSS score of 9.4, is being actively exploited and presents a significant risk to users of the End-of-Life (EOL) version of Ivanti CSA.

CVE-2024-8963 is a Path Traversal vulnerability that allows a remote, unauthenticated attacker to gain unauthorized access to restricted functionality in Ivanti CSA 4.6. This can potentially open up systems to further exploitation, particularly if used in conjunction with CVE-2024-8190, which enables attackers to bypass administrator authentication and execute arbitrary commands on the affected appliance.

Ivanti’s 4.6 version of CSA has reached its End-of-Life status, meaning it no longer receives regular security updates for the operating system or third-party libraries. However, a patch released on 10 September 2024 (CSA 4.6 Patch 519) coincidentally addressed this vulnerability, marking the last backported fix for this version.

Ivanti has confirmed that CVE-2024-8963 is being exploited in the wild, with a limited number of customers having already fallen victim to this attack. As a result, CISA (Cybersecurity and Infrastructure Security Agency) has added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging organizations to prioritize remediation.

Organizations still using Ivanti CSA 4.6 face a significant challenge. As of September 2024, CSA 4.6 is officially unsupported, leaving users who haven’t applied Patch 519 highly vulnerable. Ivanti has made it clear that no future patches will be provided for this version, making the vulnerability a permanent threat unless users upgrade to Ivanti CSA 5.0. The newer version is not affected by CVE-2024-8963 and is the only supported iteration of the product moving forward.

For organizations still running CSA 4.6, the message is clear: upgrade to CSA 5.0 immediately to ensure continued support and protection against this critical security flaw. The 4.6 patch may serve as a temporary band-aid, but with the EOL status, it is vital to transition to the newer version.