Unpatched Ivanti CSA Vulnerabilities Exploited in Recent Cyberattack

In mid-September of this year, researchers from FortiGuard Labs uncovered an attack in which an unidentified threat actor exploited vulnerabilities in Ivanti’s Cloud Services Appliance (CSA). One of the three discovered vulnerabilities was already known as CVE-2024-8190, but the other two had remained undisclosed until the investigation began.

The hacker gained access to the system on September 4, 2024, by exploiting a path traversal vulnerability in the “/client/index.php” file and a command injection vulnerability in the “reports.php” file. This allowed the attacker to extract user data without authorization and execute malicious commands, granting further access to the victim’s systems.

On September 11, the attacker launched a brute-force attack on user passwords. After obtaining access to privileged accounts, they installed web shells and continued to exploit vulnerable files. Interestingly, in an effort to prevent interference from other hackers, the attacker patched the discovered vulnerabilities themselves.

At the time of publication, Ivanti had released a patch for the CVE-2024-8190 vulnerability, but the other vulnerabilities in CSA remain a potential threat to users. FortiGuard Labs continues to analyze the actions of this cybercriminal group and promises to release additional information in future reports.