Ivanti warns of three more CSA zero-days exploited in attacks
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks.
As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September.
Successful exploitation of these vulnerabilities can let remote attackers run SQL statements via SQL injection, execute arbitrary code via command injection, and bypass security restrictions by abusing a path traversal weakness on vulnerable CSA gateways (used to provide enterprise users secure access to internal network resources).
“We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963,” Ivanti warned.
The company says the flaws impact CSA 5.0.1 and earlier and recommends customers who suspect their systems have been compromised in these attacks to rebuild their CSA appliances with version 5.0.2.
To detect exploitation attempts, admins should review alerts from endpoint detection and response (EDR) or other security software. They can also observe signs of compromise by checking for new or modified admin users.
Since CSA 4.6 is an end-of-life product that received the last security patch in September, customers still running this version are advised to upgrade to CSA 5.0.2 as soon as possible.
“Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0,” the company added.
Multiple Ivanti zero-days under active exploitation
Last month, Ivanti warned that threat actors were chaining an admin bypass vulnerability (CVE-2024-8963) with a command injection bug (CVE-2024-8190) to bypass admin authentication and execute arbitrary commands on unpatched CSA appliances.
CISA added the two Ivanti flaws to its Known Exploited Vulnerabilities catalog and ordered federal agencies to secure vulnerable systems by October 10.
This stream of actively exploited zero-day disclosures comes as the company says it escalated testing and internal scanning capabilities and is working on improving its responsible disclosure process to address security issues faster.
“Ivanti is making a large investment in Secure by Design across our organization and signed the CISA Secure by Design pledge in May,” Ivanti said today.
Several flaws were exploited as zero-days in widespread attacks in recent months, targeting Ivanti VPN appliances and ICS, IPS, and ZTA gateways.
Ivanti says it has over 7,000 partners and over 40,000 companies use its products to manage their systems and IT assets worldwide.