Ivanti Issues Warning on Active Exploitation of Recently Patched Cloud Appliance Vulnerability

Ivanti has disclosed that a recently patched security vulnerability in its Cloud Service Appliance (CSA) is being actively exploited in the wild.

The vulnerability, identified as CVE-2024-8190 with a CVSS score of 7.2, is classified as high-severity and could allow remote code execution under specific conditions.

“This OS command injection vulnerability affects Ivanti Cloud Services Appliance versions 4.6 Patch 518 and earlier, allowing a remote attacker with administrative privileges to achieve remote code execution,” Ivanti stated in an advisory earlier this week.

The flaw impacts Ivanti CSA version 4.6, which has reached its end-of-life, meaning customers need to upgrade to a supported version. However, the vulnerability has been addressed in CSA 4.6 Patch 519.

“This is the final patch Ivanti will provide for version 4.6 due to its end-of-life status,” the Utah-based IT software company stated. “Customers must upgrade to Ivanti CSA 5.0 to continue receiving support.”

Ivanti confirmed that CSA 5.0, the only version currently supported, is not affected by the vulnerability. Users already on version 5.0 need not take any further action.

On Friday, Ivanti updated the advisory to confirm that the vulnerability had been exploited in the wild, targeting a “limited number of customers.” Specific details about the attacks or the threat actors involved were not disclosed. However, previous Ivanti vulnerabilities have been exploited by China-linked cyberespionage groups as zero-days.

In response to the discovery, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply the necessary fixes by October 4, 2024.

This disclosure coincides with Horizon3.ai’s release of a detailed technical analysis of a critical deserialization vulnerability (CVE-2024-29847, CVSS score: 10.0) in Endpoint Manager (EPM), which can also lead to remote code execution.