,

Ivanti patches admin bypass for Cloud Services Appliance

Ivanti has released a security advisory for a critical vulnerability in Ivanti CSA 4.6 which is being actively exploited.

Ivanti has released a security advisory for CVE-2024-8963, a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in its patch for CVE-2024-8190, which was released on September 10, 2024 (CSA 4.6 Patch 519).

CISA has now added the latest vulnerability to its known exploited vulnerabilities catalog. This means Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by October 10, 2024, as per BOD 22-01.

Ivanti CSA is an Internet appliance that acts as a gateway to provide external users with secure access to internal enterprise resources.

CVE-2024-8963 is a path traversal vulnerability that allows a remote unauthenticated attacker to access restricted functionality.

All versions of CSA 4.6 before Patch 519 are affected. Ivanti points out that CSA 4.6 has reached the end of its life, and this is the last fix that Ivanti will backport for this version.

Ivanti CSA 4.6 users have two options:

Ivanti recommends customers upgrade to CSA 5.0.

When the patch for CVE-2024-8190 was released on September 10, 2024, Ivanti says it was not aware of any active exploitation, but three days later a limited number of customers confirmed exploitation following public disclosure. We see this often. It does not take cybercriminals long to reverse engineer a patch and find methods to attack systems that have not yet received it.

During Ivanti’s investigation of the active exploitation, a newer vulnerability was discovered, along with the fact that patch 519 incidentally addressed it because of some of the functionality that it removes.

If CVE-2024-8963 is used in conjunction with the CVE-2024-8190 vulnerability that was patched on September 10, an attacker can bypass admin authentication and execute arbitrary commands on the appliance. 

CVE-2024-8190 is an OS command injection that allows a remote authenticated attacker with admin level privileges to obtain remote code execution.

From all this we can come to the conclusion that attackers were using CVE-2024-8963 to create new administrator accounts which could then be used to exploit CVE-2024-8190 to achieve remote code execution.

This is why Ivanti recommends users to review the CSA for modified or newly added administrative users. While inconsistent, some attempts may show up in the broker logs which are local to the system. They also recommend reviewing EDR alerts, if you have installed EDR or other security tools on your CSA.

As we pointed out in an earlier blog Ivanti dealt with a steady stream of serious vulnerabilities over the past 12 months. This is not necessarily a bad sign.

As serious as these bugs are, their discovery may be as much as a sign of progress as they are of weakness. In a blog post accompanying the latest advisory, the company sought to explain, not unreasonably, that the most recent vulnerabilities were discovered as a result of it stepping up its bug hunting efforts:

In recent months, we have intensified our internal scanning, manual exploitation and testing capabilities, and have additionally made improvements to our responsible disclosure process so that we can promptly discover and address potential issues. This has caused a spike in discovery and disclosure, and we agree with CISA’s statement that the responsible discovery and disclosure of CVEs is “a sign of healthy code analysis and testing community.

When judging the health of a codebase, the rate of discovery can be more instructive than the total number of finds, so we suggest Ivanti users keep a close eye on the company’s updates as its new process does its work


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.