Governance & Risk Management , Network Firewalls, Network Access Control , Patch Management

Ivanti CSA Customers Targeted in New Zero-Day Attacks

Attackers Chain Three Security Flaws With Patched Admin Bypass Vulnerability
Ivanti CSA Customers Targeted in New Zero-Day Attacks
Ivanti again warned customers using version 4.6 of its Cloud Services Appliance to be on the lookout for hackers. (Image: Shutterstock)

Internet appliance maker Ivanti warned customers Tuesday that attackers are actively exploiting new vulnerabilities in Cloud Services Appliance instances by chaining three security flaws with a zero-day patched in September.

See Also: The Dark Side of AI: Unmasking its Threats and Navigating the Shadows of Cybersecurity in the Digital Age

Ivanti in September announced emergency updates for version 4.6 of the Cloud Services Appliance that fixed a high-severity command injection issue, tracked as CVE-2024-8190. The flaw required attackers to have admin access, but cybersecurity researchers discovered they could brute force their way into it (see: Ivanti Vulnerability Again Forces Emergency Patches)

Ivanti gateway appliances earlier this year were at the center of an espionage hacking operation likely conducted by China. The company has since found itself on a treadmill of publishing security fixes as scrutiny by hackers and researchers alike uncovered a stream of vulnerabilities.

The three flaws are tracked as CVE-2024-9379, CVE-2024-9380 and CVE-2024-8963. They enable bad actors to run SQL commands, execute code and bypass security on vulnerable CSA gateways.

Ivanti on Tuesday acknowledged they have targeted a "limited number of customers." It recommended customers upgrade to version 5.0, since version 4.6 is at end of life.

"We have not observed these vulnerabilities being exploited in any version of CSA 5.0," the company said.

CVE-2024-9380 is a high-severity OS command injection bug allowing RCE. CVE-2024-9379 is a medium-severity SQL injection vulnerability that enables an authenticated attacker with admin rights to execute arbitrary SQL commands. CVE-2024-8963 was already incidentally fixed by the Sept. 10 patch.

To identify potential exploitation attempts, administrators should examine security alerts. They can also look for indicators of compromise by checking for newly created or modified admin user accounts.


About the Author

Anviksha More

Anviksha More

Senior Subeditor, ISMG Global News Desk

More has seven years of experience in journalism, writing and editing. She previously worked with Janes Defense and the Bangalore Mirror.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.