Ivanti has disclosed a critical security vulnerability in its Cloud Service Appliance (CSA), identified as CVE-2024-8963, which is currently being actively exploited in the wild. This severe flaw, with a CVSS score of 9.4 out of 10, allows remote unauthenticated attackers to access restricted functionality through a path traversal attack. The vulnerability affects versions of CSA prior to 4.6 Patch 519 and CSA 5.0.
Compounding the threat, Ivanti has revealed that CVE-2024-8963 can be chained with another vulnerability, CVE-2024-8190 (CVSS score 7.2), enabling attackers to bypass admin authentication and execute arbitrary commands on affected appliances. This combination of vulnerabilities presents a significant risk to organizations using vulnerable versions of Ivanti CSA.
In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-8963 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are now required to apply the necessary patches by October 10, 2024. Ivanti has strongly urged all users to upgrade to CSA version 5.0 as soon as possible, noting that version 4.6 is end-of-life and no longer supported.
The discovery of active exploitation underscores the urgency for organizations to take immediate action. Ivanti's acknowledgment of a limited number of customers already affected by this vulnerability highlights the real-world impact of these security flaws. As cyber threats continue to evolve, prompt patching and upgrading of critical systems remain essential defenses against potential breaches and unauthorized access.
Compounding the threat, Ivanti has revealed that CVE-2024-8963 can be chained with another vulnerability, CVE-2024-8190 (CVSS score 7.2), enabling attackers to bypass admin authentication and execute arbitrary commands on affected appliances. This combination of vulnerabilities presents a significant risk to organizations using vulnerable versions of Ivanti CSA.
In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-8963 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are now required to apply the necessary patches by October 10, 2024. Ivanti has strongly urged all users to upgrade to CSA version 5.0 as soon as possible, noting that version 4.6 is end-of-life and no longer supported.
The discovery of active exploitation underscores the urgency for organizations to take immediate action. Ivanti's acknowledgment of a limited number of customers already affected by this vulnerability highlights the real-world impact of these security flaws. As cyber threats continue to evolve, prompt patching and upgrading of critical systems remain essential defenses against potential breaches and unauthorized access.