Ivanti confirmed that a high-severity vulnerability in its Cloud Services Appliance (CSA) is now being actively exploited in the wild. This disclosure comes after the multiple critical vulnerabilities recently patched in Ivanti's Endpoint Manager (EPM) software.
The Cybersecurity and Infrastructure Security Agency (CISA) has responded by adding the CSA vulnerability, identified as CVE-2024-8190, to its Known Exploited Vulnerabilities catalog. Federal agencies have been ordered to patch affected systems by October 4, underscoring the urgency of the situation.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned in its advisory.
The actively exploited flaw in CSA 4.6 allows remote authenticated attackers with administrative privileges to execute arbitrary code through command injection. Ivanti is urging customers to upgrade to CSA 5.0, which is not affected by this vulnerability.
This latest security issue compounds concerns raised earlier this week when Ivanti released patches for eleven critical vulnerabilities in its Endpoint Manager software. The most severe of these, CVE-2024-29847, received a maximum CVSS score of 10.0 and could allow unauthenticated remote code execution.
Security researchers at Horizon3.ai have released technical details of CVE-2024-29847, revealing that the vulnerability resides in EPM's Agent Portal service. Their analysis showed that the flaw could potentially allow arbitrary program execution, although the patched version restricts this to specific utilities like ping.exe and tracert.exe.
"At the time of disclosure on September 10, we were not aware of any customers being exploited by this vulnerability. At the time of the September 13 update, exploitation of a limited number of customers has been confirmed following public disclosure," Ivanti stated in an update to its advisory.
The company has released patches for the affected EPM versions:
- EPM 2024 users should update to version 2024 SU1
- EPM 2022 users should update to version 2022 SU6
In response to this spate of vulnerabilities, Ivanti has announced improvements to its security practices, including enhanced internal scanning and testing capabilities. The company attributes the recent "spike in discovery and disclosure" to these intensified security efforts.
"We agree with CISA's statement that the responsible discovery and disclosure of CVEs is 'a sign of healthy code analysis and testing community,'" an Ivanti spokesperson said.
Cybersecurity experts are advising Ivanti customers to take immediate action:
- Update all Ivanti products to the latest patched versions immediately.
- Review system logs for signs of exploitation attempts.
- Ensure EDR (Endpoint Detection and Response) systems are actively monitoring for threats.
- For CSA users, prioritize the upgrade from version 4.6.x to 5.0.
The active exploitation of these vulnerabilities highlights the critical importance of prompt security updates in maintaining robust cybersecurity postures.