Outbreak AlertIvanti Cloud Services Appliance Zero-Day Attack
Suspected Nation-State Adversary Targets Ivanti CSA
Threat actors chained and exploited multiple zero-day vulnerabilities affecting Ivanti CSA (Cloud Services Appliance). If successful, this could lead an attacker to gain admin access, obtain credentials, bypass security measures, run arbitrary SQL commands, and execute code remotely. Learn More »
Common Vulnerabilities and Exposures
Background
In an incident response engagement during September 2024, FortiGuard Incident Response (FGIR) services discovered a campaign targeting Ivanti Cloud Services Appliance (CSA) for initial access and released a detailed Threat Blog. To read more, visit: https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa
According to a new report released by CISA on 22 January 2025, in response to exploitation activities relating to Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, CVE-2024-9379, CVE-2024-8190 and CVE-2024-9380, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks.
Ivanti has available updates for Ivanti CSA (Cloud Services Appliance) which addresses these vulnerabilities. FortiGuard recommends users apply the vendor's fixes as mentioned in the advisory and validate your security controls. (See the References section for the link to the patch release)
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
Please note: Ivanti recently disclosed two vulnerabilities (CVE-2025-0282, CVE-2025-0283 affecting, Ivanti Connect Secure, Policy Secure & ZTA Gateways - To read more, see the related FortiGuard Threat Signal posted at https://www.fortiguard.com/threat-signal-report/5612
-
July 01, 2025: The French National Agency for the Security of Information Systems (ANSSI) discovered a cyber campaign that targeted various sectors in France, such as government, telecommunications, media, finance, and transport. The attackers exploited zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices.
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf -
January 22, 2025: The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released this joint Cybersecurity Advisory.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a -
October 11, 2024: FortiGuard Threat Research team released a Threat Blog.
https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa -
October 08, 2024: FortiGuard Labs released a Threat Signal on Ivanti CSA (Cloud Services Appliance) Zero-Day Attack
https://www.fortiguard.com/threat-signal-report/5556/ -
October 08, 2024: Security Advisory Ivanti CSA (Cloud Services Application) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US -
September 13, 2024: FortiGuard Labs released a Threat Signal on Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability (CVE-2024-8190)
https://fortiguard.fortinet.com/threat-signal-report/5523
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
Lure
-
Decoy VM
-
AV
-
AV (Pre-filter)
-
Behavior Detection
-
IPS
-
IOC
-
Outbreak Detection
-
Threat Hunting
-
Cloud Threat Detection
-
Automated Response
-
Assisted Response Services
-
NOC/SOC Training
-
End-User Training
-
Attack Surface Monitoring (Inside & Outside)
-
Attack Surface Hardening
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
References
Sources of information in support and relation to this Outbreak and vendor.