Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Latest News on Ivanti Cloud Vulnerabilities and Exploits

Active Exploitation of Ivanti Cloud Service Appliances (CSA) Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory warning about the active exploitation of several critical vulnerabilities in Ivanti Cloud Service Appliances (CSA)234.

Affected Vulnerabilities

The vulnerabilities being exploited include:

  • CVE-2024-8963: An administrative bypass vulnerability (Path Traversal) that allows unauthorized access to restricted features of the appliance.
  • CVE-2024-8190: An OS command injection vulnerability enabling threat actors to authenticate remotely and execute arbitrary commands.
  • CVE-2024-9379: A SQL injection vulnerability permitting attackers with administrative privileges to run malicious SQL statements.
  • CVE-2024-9380: A command injection vulnerability allowing remote code execution (RCE) when exploited by attackers with admin privileges3.

Impact and Exploitation

These vulnerabilities were patched in September 2024, but threat actors continue to exploit them to breach networks. The exploitation involves chaining these vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks23.

Affected Versions

The vulnerabilities affect the following versions of Ivanti CSA:

  • CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380 impact Ivanti CSA 4.6x versions prior to build 519.
  • CVE-2024-9379 and CVE-2024-9380 additionally affect CSA versions 5.0.1 and below.
    It is crucial to note that Ivanti CSA 4.6 has reached its end-of-life (EOL) and no longer receives security patches or updates, making it imperative for users to upgrade to a supported version3.

Recommendations from CISA and FBI

CISA and the FBI strongly recommend the following actions to mitigate these vulnerabilities:

  • Upgrade to the latest supported version of Ivanti CSA.
  • Deploy Endpoint Detection and Response (EDR) solutions.
  • Log network activity to spot suspicious behavior.
  • Ensure regular patching of operating systems, software, and firmware within 24-48 hours of disclosures.
  • Conduct threat hunting actions using the provided detection methods and indicators of compromise (IOCs)23.

Additional Vulnerabilities

In addition to the above, CISA has also highlighted other vulnerabilities in Ivanti products:

  • CVE-2025-0282 and CVE-2025-0283: These vulnerabilities affect Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CVE-2025-0282, in particular, allows a cyber threat actor to take control of an affected system and has been added to CISA’s Known Exploited Vulnerabilities Catalog2.

Threat Actors

There is evidence that Chinese threat actors have used advanced exploit chains to breach Ivanti CSA, further emphasizing the urgency of addressing these vulnerabilities4.

Reporting and Mitigation

Organizations are urged to report any incidents or anomalous activity to CISA’s 24/7 Operations Center and to follow the mitigation instructions provided by CISA, including conducting hunt activities, taking remediation actions, and applying updates prior to returning devices to service2.

For more detailed information and guidance, organizations can refer to the CISA advisory and the Known Exploited Vulnerabilities Catalog23.