Ivanti has unveiled a critical security vulnerability affecting Cloud Service Appliance (CSA) that is actively being exploited in the wild.
The newly identified vulnerability, designated as CVE-2024-8963, has a CVSS score of 9.4 out of 10.0 and was patched under CSA 4.6 Patch 519 and CSA 5.0.
“Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality,” the company announced in a bulletin on Thursday.
The vulnerability can be combined with CVE-2024-8190 (CVSS score: 7.2) to bypass admin authentication and execute unauthorized commands on the appliance.
Ivanti has cautioned about “a limited number of customers who have fallen victim to this vulnerability,” following reports of active exploitation attempts on CVE-2024-8190.
This suggests that threat actors are leveraging both vulnerabilities to achieve code execution on vulnerable devices.
The situation has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to implement the necessary fixes by October 10, 2024.
It is strongly recommended that users upgrade to CSA version 5.0 without delay, as version 4.6 has reached its end-of-life and is no longer supported.