Ivanti has disclosed that a second vulnerability in its Cloud Services Appliance (CSA) has been exploited in attacks. The vulnerability, identified as CVE-2024-8963, was discovered during the patching process for CVE-2024-8190, a high-severity OS command injection flaw announced earlier on September 10, 2024.

The first flaw, CVE-2024-8190, allows for remote code execution but requires admin-level authentication. On September 13, Ivanti revealed that this vulnerability had been exploited in limited attacks targeting some customers. During the patching process for this issue, Ivanti uncovered and patched CVE-2024-8963, which is a critical path traversal vulnerability that allows unauthenticated attackers to access restricted functionality remotely.

Ivanti warned that when CVE-2024-8963 is used in conjunction with CVE-2024-8190, attackers can bypass admin authentication entirely, enabling them to execute arbitrary commands on the affected CSA devices. Ivanti confirmed that both vulnerabilities have been exploited against a small number of customers.

Patches for both vulnerabilities have been released in CSA 4.6 Patch 519 and CSA 5.0. However, since version 4.6 has reached its end of life, no further updates will be provided for that version, and users are advised to upgrade to version 5.0 to stay protected.

More details – https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963?language=en_US