virus logo Threat Signal Report

Ivanti CSA (Cloud Services Appliance) Zero-Day Attack

What is the Attack?

Attackers are actively exploiting multiple zero-day vulnerabilities affecting Ivanti CSA (Cloud Services Appliance) that could lead an attacker to gain admin access, bypass security measures, run arbitrary SQL commands, and execute code remotely.

In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged where an advanced adversary was observed exploiting vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). To read more visit: Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs (fortinet.com)

  • CVE-2024-9379: SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

  • CVE-2024-9380: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.

  • CVE-2024-9381: Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

  • CVE-2024-8963: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

  • CVE-2024-8190: An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution.

What is the recommended Mitigation?

Ivanti has released updates for Ivanti CSA (Cloud Services Appliance) which addresses these vulnerabilities. Security Advisory Ivanti CSA (Cloud Services Appliance)

In the advisory, Ivanti has mentioned that they have observed limited exploitation of CSA 4.6 when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963.

What FortiGuard Coverage is available?

  • FortiGuard recommends users apply the vendor's fixes as mentioned in the advisory. 

  • FortiGuard Web Filtering service has blocked all the known Indicators of Compromise (IoCs) captured during the IR engagement.

  • FortiGuard Antivirus service has blocked all the known malware used by the threat actor in the related campaign.

  • FortiGuard IPS protection is available for CVE-2024-8963 "Ivanti.Cloud.Service.Appliance.datetime.Command.Injection", and CVE-2024-9380 "Ivanti.Cloud.Service.Appliance.reports.php.OS.Command.Injection" to defend against the attacks targeting the vulnerable Ivanti CSA systems.

  • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

description-logoOutbreak Alert

Threat actors chained and exploited multiple zero-day vulnerabilities affecting Ivanti CSA (Cloud Services Appliance). If successful, this could lead an attacker to gain admin access, obtain credentials, bypass security measures, run arbitrary SQL commands, and execute code remotely.

View the full Outbreak Alert Report

Additional Resources

Security Advisory Ivanti CSA (Cloud Services Appliance) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)
October 2024 Security Update | Ivanti
FortiGuard Virus Encyclopedia
FortiGuard Virus Encyclopedia
FortiGuard Virus Encyclopedia
Threat Signal Report (CVE-2024-8190)
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs (fortinet.com)
Intrusion Prevention | FortiGuard Labs
Intrusion Prevention | FortiGuard Labs
Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications | CISA


Released Date Oct 08, 2024
Tags Ivanti CSA Zero-Day Attack Threat Signal
CVE ID




Threat Actor Type APT

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »