Ivanti has disclosed a critical vulnerability affecting its Cloud Service Appliance (CSA), which is currently being actively exploited. The flaw, identified as CVE-2024-8963, holds a high CVSS score of 9.4 and was “incidentally addressed” in CSA versions 4.6 Patch 519 and 5.0.
This vulnerability, a path traversal issue, allows remote, unauthenticated attackers to access restricted functionality. When combined with CVE-2024-8190, which has a CVSS score of 7.2, attackers can bypass admin authentication and execute arbitrary commands on the system.
Ivanti has confirmed that some customers have already been targeted by this exploit, signaling that attackers are leveraging both vulnerabilities to gain control of vulnerable systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches by October 10, 2024.
Ivanti strongly recommends users upgrade to CSA version 5.0, as version 4.6 has reached end-of-life and is no longer supported.