Ivanti has published a security advisory regarding CVE-2024-8963, a critical path traversal vulnerability in Ivanti CSA 4.6, which was unintentionally addressed by Patch 519 for CVE-2024-8190 released on September 10, 2024. This vulnerability allows unauthenticated remote attackers to access restricted functionality, posing severe security risks, especially since it can be exploited in conjunction with CVE-2024-8190, an OS command injection vulnerability. CISA has added CVE-2024-8963 to its Known Exploited Vulnerabilities Catalog, requiring U.S. federal civilian agencies to patch it by October 10, 2024. Ivanti recommends upgrading to CSA 5.0, as CSA 4.6 has reached end-of-support and this is the final patch that will be provided. Despite the challenges posed by these vulnerabilities, Ivanti’s increasing focus on bug hunting and vulnerability disclosure represents progress in their security posture, underscoring the importance of proactive code analysis and testing. Users are advised to monitor for any unauthorized administrative changes and to review security logs.
| Product | Ivanti CSA |
| Date | 2024-09-26 13:47:35 |
| Information |
|
Technical Summary
A path traversal vulnerability in Ivanti Cloud Services Appliance (CSA) in versions prior to 4.6 Patch 519 allows unauthenticated remote attackers to access restricted functionality. This vulnerability is being actively exploited in real-world environments, with the potential to lead to unauthorized access to internal network resources and further system compromise.
Recommendations
Upgrade Ivanti CSA 4.6 to CSA 5.0 as described here.
[Callforaction-THREAT-Footer]
