More Ivanti vulnerabilities exploited in the wild

A trio of vulnerabilities in Ivanti products have come under attack in recent weeks, highlighting once again how the software maker has become an increasingly popular target for threat actors.

CISA on Tuesday added CVE-2024-7593, an authentication bypass flaw in Ivanti's Virtual Traffic Manager (vTM), to the agency's Known Exploited Vulnerabilities Catalog. Ivanti first disclosed the critical vTM flaw, which has a CVSS score of 9.8, on Aug. 12.

In a security advisory last month, Ivanti said patches for all affected versions of vTM were made available by Aug. 19. The software maker said it was not aware of exploitation activity in the wild but noted that a proof-of-concept exploit was publicly available.

TechTarget Editorial contacted Ivanti for comment on the reported exploitation of CVE-2024-7593, but the company had not responded at press time.

Last week, another critical Ivanti vulnerability, tracked as CVE-2024-8963, came under attack. First disclosed Sept. 16., the path traversal vulnerability affects Ivanti's Cloud Services Appliance (CSA) 4.6, which has reached end-of-life status. While Ivanti said the flaw had been exploited against a "limited number of customers," CVE-2024-8963 is not considered a zero-day vulnerability because it had been patched several days earlier.

In its advisory for CVE-2024-8963, Ivanti said the flaw stemmed from a third vulnerability that came under attack the previous week. CVE-2024-8190 is a high-severity flaw in CSA, with a 7.2 CVSS score that can be chained with CVE-2024-8963 to bypass administrator authentication and execute arbitrary commands on the product. The vulnerability was first disclosed Sept. 10 and mitigated with patch 519, and Ivanti confirmed exploitation against a limited number of customers Sept. 13.

In the advisory for CVE-2024-8963, Ivanti explained that the flaw was found internally while investigating the exploitation of CVE-2024-8190. "As we were evaluating the root cause of this vulnerability, we discovered that the issue had been incidentally addressed with some of the functionality removal that had been included in patch 519," the advisory said.

It's unclear what type of attacks were committed against Ivanti customers or who may have been responsible for the activity. Ivanti vulnerabilities have attracted a wide range of threat actors in the past, from cybercriminals to nation-state hackers. Earlier this year, CISA revealed that two Ivanti zero-day vulnerabilities that had previously been exploited by a Chinese nation-state threat actors were used to breach two of the agency's internal systems.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.