Ivanti has warned that three new security vulnerabilities impacting its Cloud Service Appliance (CSA) have come under active exploitation in the wild.
The zero-day flaws are being weaponized in conjunction with another flaw in CSA that the company patched last month, the Utah-based software services provider said.
Successful exploitation of these vulnerabilities could allow an authenticated attacker with admin privileges to bypass restrictions, run arbitrary SQL statements, or obtain remote code execution.
"We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 are chained with CVE-2024-8963," the company said.
There is no evidence of exploitation against customer environments running CSA 5.0. A brief description of the three shortcomings is as follows -
- CVE-2024-9379 (CVSS score: 6.5) - SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements
- CVE-2024-9380 (CVSS score: 7.2) - An operating system (OS) command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution
- CVE-2024-9381 (CVSS score: 7.2) - Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
The attacks observed by Ivanti involve combining the aforementioned flaws with CVE-2024-8963 (CVSS score: 9.4), a critical path traversal vulnerability that allows a remote unauthenticated attacker to access restricted functionality.
Ivanti said it discovered the three new flaws as part of its investigation into the exploitation of CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), another now-patched OS command injection bug in CSA that has also been abused in the wild.
Besides updating to the latest version (5.0.2), the company is recommending users to review the appliance for modified or newly added administrative users to look for signs of compromise, or check for alerts from endpoint detection and response (EDR) tools installed on the device.
The development comes less than a week after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Ivanti Endpoint Manager (EPM) that was fixed in May (CVE-2024-29824, CVSS score: 9.6) to the Known Exploited Vulnerabilities (KEV) catalog.
CVE-2024-9381 No Longer Considered Actively Exploited
Ivanti has since revised its original advisory, removing references to active exploitation of CVE-2024-9381. When reached for comment, Ivanti told The Hacker News that the flaw was inadvertently marked as exploited due to a "clerical error."
"The update [to the advisory] was to address a clerical error in our reporting," a spokesperson from Ivanti said. "CVE-2024-9381 was discovered internally, and we are not aware of any exploitation in the wild. Ivanti continues to strongly urge all customers who have not already done so to upgrade to CSA 5.0.2."
"We have observed limited exploitation of CSA 4.6 when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963, present in CSA 4.6 patch 518 and below, it could lead to unauthenticated remote code execution," the updated bulletin states.
The development has prompted CISA to add both CVE-2024-9379 and CVE-2024-9380 to the KEV catalog, requiring federal agencies to apply the patches by October 30, 2024.
(The story was updated after publication to note that CVE-2024-9381 is no longer being treated as an actively exploited flaw.)