Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ivanti Warns Customers of More CSA Zero-Days Exploited in Attacks

Ivanti says a few more CSA zero-day vulnerabilities have been found to be exploited in attacks where they are chained with CVE-2024-8963.

Ivanti vulnerability

Ivanti on Tuesday informed customers about more Cloud Services Application (CSA) zero-days that have been exploited in attacks.

On September 10, Ivanti announced patches for CVE-2024-8190, a CSA vulnerability that allows attackers with elevated privileges to achieve remote code execution. 

Exploitation of this flaw was spotted just a few days later, and on September 19 it came to light that threat actors had been chaining it with a security hole tracked as CVE-2024-8963 to bypass authentication and be able to exploit CVE-2024-8190.

Ivanti on Tuesday announced that CVE-2024-8963 has been chained with other CSA vulnerabilities as well to target a “limited number” of its customers.

However, it’s unclear if two or three new vulnerabilities are being exploited. In a blog post the company says three new flaws tracked as CVE-2024-9379, CVE-2024-9380 and CVE-2024-9381 have been chained with CVE-2024-8963. Its advisory, on the other hand, only mentions exploitation of CVE-2024-9379 and CVE-2024-9380 but not CVE-2024-9381.

CVE-2024-9381 has been described as a high-severity path traversal issue that allows a remote and authenticated attacker with administrator privileges to bypass restrictions. CVE-2024-9380 is a high-severity OS command injection bug that allows remote code execution, but which also requires authentication with admin privileges. 

CVE-2024-9379 is a medium-severity SQL injection that ​​allows an authenticated attacker with admin privileges to run arbitrary SQL commands. 

“[These vulnerabilities] were discovered during our investigation into the exploitation of CVE-2024-8963 and CVE-2024-8190 in CSA 4.6 and found to be present, although not exploited, in CSA 5.0,” Ivanti said.

Advertisement. Scroll to continue reading.

It’s worth noting that in each attack threat actors appear to be chaining CVE-2024-8963 with only one of the three new CSA zero-days — they are not all being exploited at the same time. 

The company has shared indicators of compromise (IoCs) that can be used to detect attacks exploiting these vulnerabilities. 

In addition to the CSA vulnerabilities, Ivanti in recent weeks confirmed in-the-wild exploitation of  CVE-2024-7593, a Virtual Traffic Manager (vTM) authentication bypass vulnerability, and CVE-2024-29824, an Endpoint Manager (EPM) flaw that allows arbitrary code execution. 

Ivanti on Tuesday also published advisories for vulnerabilities found in EPMM, Velocity License Server, Avalanche, and Connect Secure products, but the company says there is no evidence that these other security holes have been exploited in the wild. 

Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks

Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks

Related: Ivanti Patches Critical Vulnerabilities in Endpoint Manager

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.