Ivanti has issued a warning about three new security vulnerabilities affecting its Cloud Service Appliance (CSA) that are currently being actively exploited.
These zero-day flaws are being exploited in conjunction with a previously patched vulnerability in CSA, according to the Utah-based software services provider.
If successfully exploited, these vulnerabilities could allow an authenticated attacker with admin privileges to bypass restrictions, execute arbitrary SQL statements, or achieve remote code execution.
“We are aware of a limited number of customers using CSA 4.6 patch 518 and earlier versions who have been exploited when CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 are combined with CVE-2024-8963,” the company stated.
There is no evidence of exploitation in environments running CSA 5.0. A brief overview of the three vulnerabilities is as follows –
- CVE-2024-9379 (CVSS score: 6.5) – SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL statements
- CVE-2024-9380 (CVSS score: 7.2) – An operating system (OS) command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution
- CVE-2024-9381 (CVSS score: 7.2) – Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions
The attacks observed by Ivanti involve exploiting the aforementioned vulnerabilities along with CVE-2024-8963 (CVSS score: 9.4), a critical path traversal vulnerability that enables a remote unauthenticated attacker to access restricted functionality.
Ivanti stated that it identified these three new vulnerabilities during its investigation into the exploitation of CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), another OS command injection flaw in CSA that has been exploited in the wild.
In addition to updating to the latest version (5.0.2), the company recommends that users check the appliance for any altered or newly added administrative users, watch for signs of compromise, and monitor alerts from endpoint detection and response (EDR) tools installed on the device.
This development comes shortly after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security vulnerability affecting Ivanti Endpoint Manager (EPM) that was patched in May (CVE-2024-29824, CVSS score: 9.6) to the Known Exploited Vulnerabilities (KEV) catalog.