Ivanti has issued a warning about three newly discovered security vulnerabilities affecting its Cloud Service Appliance (CSA), which are currently being actively exploited in the wild.
These zero-day vulnerabilities are being leveraged alongside a previously discovered flaw in CSA, which the company had addressed with a patch last month. According to the Utah-based software provider, successful exploitation could enable an attacker with administrative access to bypass security restrictions, execute arbitrary SQL commands, or achieve remote code execution.
We are aware of a limited number of customers using CSA 4.6 patch 518 or earlier who have been compromised through the chaining of CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 with CVE-2024-8963,” Ivanti stated.
There is currently no evidence of exploitation affecting customer environments running CSA 5.0. A summary of the three identified vulnerabilities is as follows:
CVE-2024-9379 (CVSS score: 6.5) – A SQL injection vulnerability in the admin web console of Ivanti CSA prior to version 5.0.2 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL commands.
CVE-2024-9380 (CVSS score: 7.2) – An operating system (OS) command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 enables a remote authenticated attacker with admin rights to achieve remote code execution.
CVE-2024-9381 (CVSS score: 7.2) – A path traversal vulnerability in Ivanti CSA before version 5.0.2 enables a remote authenticated attacker with admin privileges to bypass access restrictions.
Ivanti has observed attack patterns in which adversaries combine these vulnerabilities with CVE-2024-8963 (CVSS score: 9.4), a critical path traversal vulnerability that permits a remote unauthenticated attacker to gain access to restricted system functionality.
Ivanti identified these new vulnerabilities during its investigation of the exploitation of both CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), the latter being another OS command injection flaw in CSA that has since been patched, but was actively exploited in the wild.
In addition to updating to the latest version (5.0.2), the company advises users to inspect their appliances for any newly added or modified administrative accounts that could indicate a potential breach. They also recommend checking for alerts from endpoint detection and response (EDR) tools installed on the device.
This update follows just days after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security vulnerability affecting Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog. The flaw (CVE-2024-29824), which received a high-severity CVSS score of 9.6, was patched in May.