Ivanti Cloud Services Appliance (CSA) Unauthenticated Remote Code Execution Vulnerability [CVE-2024-8963 and CVE-2024-8190]

Date of Disclosure: September 19, 2024

CVE-2024-8963 is a critical vulnerability affecting Ivanti Cloud Services Appliance (CSA) versions 4.6 Patch 519 and earlier, with a CVSS score of 9.4.

If successfully exploited it allows a remote unauthenticated attacker to achieve restricted access. As noted in Ivanti’s security advisory, if chained with CVE-2024-8190 (OS command injection) an attacker can gain admin privileges and achieve RCE.

Censys Perspective

At the time of writing, Censys observes 2,017 exposed Ivanti CSA instances online, mostly concentrated in the U.S. Note that not all of these are necessarily vulnerable – as specific device versions are not available. This vulnerability affects CSA versions 4.6.0 and earlier.

To identify exposed Ivanti Cloud Services Appliance instances, the following Censys queries can be used:

Censys Search Query:

services.http.response.html_title=`Ivanti(R) Cloud Services Appliance`

Censys ASM Query:

host.services.http.response.html_title=`Ivanti(R) Cloud Services Appliance` or web_entity.instances.http.response.html_title=`Ivanti(R) Cloud Services Appliance`

References

1. https://www.cve.org/CVERecord?id=CVE-2024-8963
2. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963?language=en_US
3. https://www.cisa.gov/news-events/alerts/2024/09/19/ivanti-releases-admin-bypass-security-update-cloud-services-appliance
4. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190?language=en_US&_gl=1*11u91ls*_gcl_au*OTI3NTYxOTczLjE3MjIyOTAxMjk.