Ivanti zero-day vulnerabilities exploited in chained attack

Ivanti said a limited number of its Cloud Service Application customers have been attacked via exploit chains containing new zero-day vulnerabilities.

The company said in a Tuesday blog post that it is "aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963." No other Ivanti products or versions are affected.

The central vulnerability, CVE-2024-8963, is a critical path traversal vulnerability first disclosed on Sept. 19. It enables "a remote unauthenticated attacker to access restricted functionality," a security advisory read. Although Ivanti initially addressed the vulnerability in a Sept. 10 patch, the vendor stated that CSA 4.6 is end-of-life and "customers must upgrade to Ivanti CSA 5.0 for continued support."

The other flaws were disclosed on Oct. 8 and affect CSA 5.0.1 and earlier versions. CVE-2024-9379 is a medium-severity (CVSS 6.5) SQL injection flaw in the CSA admin web console that "allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements"; CVE-2024-9380 is a high-severity (CVSS 7.2) OS command injection flaw in the admin web console that "allows a remote authenticated attacker with admin privileges to obtain remote code execution"; and CVE-2024-9381 is a high-severity (CVSS 7.2) path traversal flaw that "allows a remote authenticated attacker with admin privileges to bypass restrictions."

Regarding the new exploit chains, Ivanti said only users with CSA versions 4.6 patch 518 and prior have been targeted in attacks. As such, the vendor's only mitigation for users is to upgrade to CSA 5.0.2.

TechTarget Editorial asked Ivanti if it intends to offer any additional patch for 4.6 users, but the company has not responded at press time.

These vulnerabilities mark the latest set of serious Ivanti product flaws to come under attack in recent weeks. Last month, CISA added CVE-2024-7593, a critical severity authentication bypass flaw in Ivanti's Virtual Traffic Manager, to its Known Exploited Vulnerabilities catalog. The aforementioned CVE-2024-8963 stemmed from high-severity CSA flaw CVE-2024-8190, which has also been exploited in attacks.

Going back further, CISA in January called attention to two Ivanti zero-day flaws -- CVE-2023-46805 and CVE-2024-21887 -- in Policy Secure and Connect Secure, respectively, that were under attack by a Chinese nation-state threat actor. Vendors such as Veloxity said at the time that the vulnerabilities were under widespread exploitation. R&D firm Mitre, for instance, disclosed in April that it was breached by an unnamed nation-state actor via these very same bugs.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.