Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Critical Ivanti Cloud Service Appliance flaw exploited in the wild

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.

A critical path traversal vulnerability, recently discovered in Ivanti’s Cloud Service Appliance (CSA), is being actively exploited in the wild to grant access to restricted product functionalities. This is according to the security advisory Ivanti published earlier this week, in which it said it was “aware of a limited number of customers” who have been exploited by this vulnerability.

CSA is a gateway solution that allows secure communication between Ivanti software products (such as Ivanti Endpoint Manager) and devices outside the corporate network. It acts as a secure bridge for remote devices, enabling them to connect to internal services without the need for a VPN.

The bug is being tracked as CVE-2024-8963, and carries a severity score of 9.4. Ivanti says hackers can chain it to CVE-2024-8190, an OS command injection vulnerability, to bypass admin authentication and run arbitrary commands on the vulnerable endpoint.

End of life

The company did not say which companies were targeted, or by whom.

The bug was “incidentally addressed” as part of CSA 4.6 Patch 519, and CSA 5.0: “Ivanti is disclosing a critical vulnerability in Ivanti CSA 4.6 which was incidentally addressed in the patch released on 10 September (CSA 4.6 Patch 519),” the company said. It stressed that CSA 4.6 is past its end-of-life date, and as such no longer receives patches for OS or third-party libraries.

“Additionally, with the end-of-life status the fix released on 10 September is the last fix Ivanti will backport to that version,” the company concluded. “Customers must upgrade to Ivanti CSA 5.0 for continued support. CSA 5.0 is the only supported version of the product and is not affected by this vulnerability.”

Since the bug is actively exploited, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog recently, forcing government agencies to patch up by October 10, The Hacker News found.

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.