September 16, 2024 at 05:27AM
Exploitation of the Ivanti Cloud Service Appliance (CSA) vulnerability CVE-2024-8190 began shortly after the vendor released patches. The high-severity flaw enables unauthorized access and remote code execution, affecting certain versions of the CSA. Ivanti has addressed the issue in Patch 519 and CSA 5.0, but noted limited customer exploitation. CISA has added the vulnerability to its catalog. There are no public details on the attacks exploiting the flaw. Additionally, technical details and a PoC exploit for Ivanti Endpoint Manager (EPM) flaw CVE-2024-29847, which allows unauthenticated remote code execution, were released. It is noted that CVE-2024-29847 has not been exploited in the wild. Threat actors have a history of exploiting Ivanti product vulnerabilities, including attacks on high-profile organizations.
Key Takeaways:
1. In-the-wild exploitation of the Ivanti Cloud Service Appliance (CSA) vulnerability tracked as CVE-2024-8190 began shortly after the vendor announced patches on September 10.
2. The vulnerability allows unauthorized access to devices through an OS command injection, requiring admin level privileges to exploit it.
3. Ivanti has released patches for CSA 4.6 and CSA 5.0 to address the vulnerability, but has also stated that CSA 4.6 has reached end-of-life status.
4. CISA has added CVE-2024-8190 to its Known Exploited Vulnerabilities (KEV) catalog, and Ivanti has confirmed exploitation of the vulnerability in the wild.
5. Exploitation of CVE-2024-8190 requires admin privileges and may be used alongside another flaw or against improperly secured devices.
6. Horizon3.ai released a proof-of-concept (PoC) exploit for CVE-2024-29847, an Ivanti Endpoint Manager (EPM) flaw, but there is currently no indication of exploitation in the wild.
These takeaways summarize the urgency of addressing the vulnerabilities in Ivanti products, the specific risks associated with each vulnerability, and the potential for further exploitation by threat actors.