Ivanti on Tuesday informed customers about more Cloud Services Application (CSA) zero-days that have been exploited in attacks.
On September 10, Ivanti announced patches for CVE-2024-8190, a CSA vulnerability that allows attackers with elevated privileges to achieve remote code execution.
Exploitation of this flaw was spotted just a few days later, and on September 19 it came to light that threat actors had been chaining it with a security hole tracked as CVE-2024-8963 to bypass authentication and be able to exploit CVE-2024-8190.
Ivanti on Tuesday announced that CVE-2024-8963 has been chained with other CSA vulnerabilities as well to target a “limited number” of its customers.
However, it’s unclear if two or three new vulnerabilities are being exploited. In a blog post the company says three new flaws tracked as CVE-2024-9379, CVE-2024-9380 and CVE-2024-9381 have been chained with CVE-2024-8963. Its advisory, on the other hand, only mentions exploitation of CVE-2024-9379 and CVE-2024-9380 but not CVE-2024-9381.
CVE-2024-9381 has been described as a high-severity path traversal issue that allows a remote and authenticated attacker with administrator privileges to bypass restrictions. CVE-2024-9380 is a high-severity OS command injection bug that allows remote code execution, but which also requires authentication with admin privileges.
CVE-2024-9379 is a medium-severity SQL injection that allows an authenticated attacker with admin privileges to run arbitrary SQL commands.
“[These vulnerabilities] were discovered during our investigation into the exploitation of CVE-2024-8963 and CVE-2024-8190 in CSA 4.6 and found to be present, although not exploited, in CSA 5.0,” Ivanti said.
It’s worth noting that in each attack threat actors appear to be chaining CVE-2024-8963 with only one of the three new CSA zero-days — they are not all being exploited at the same time.
The company has shared indicators of compromise (IoCs) that can be used to detect attacks exploiting these vulnerabilities.
In addition to the CSA vulnerabilities, Ivanti in recent weeks confirmed in-the-wild exploitation of CVE-2024-7593, a Virtual Traffic Manager (vTM) authentication bypass vulnerability, and CVE-2024-29824, an Endpoint Manager (EPM) flaw that allows arbitrary code execution.
Ivanti on Tuesday also published advisories for vulnerabilities found in EPMM, Velocity License Server, Avalanche, and Connect Secure products, but the company says there is no evidence that these other security holes have been exploited in the wild.
Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks
Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks
Related: Ivanti Patches Critical Vulnerabilities in Endpoint Manager