Skip to main content
kcheung
Staff
kcheung
Staff
April 11, 2025

FortiGuard Outbreak Alert: Ivanti Cloud Services Appliance Zero-Day Attack

  • April 11, 2025
  • 0 replies
  • 551 views
Description

FortiGuard Incident Response (FGIR) service have seen campaigns involving various zero days targeting Ivanti Cloud Services Appliance (CSA) for initial access.


Threat actors are employing several Ivanti Cloud Services Appliance (CSA) zero days together to conduct RCE, credential access, and deploying web shells after gaining access.

 

CVE-2024-8963 is a path traversal vulnerability in Ivanti Cloud Services Appliance (CSA) which allows unauthenticated attackers to access restricted functionality.


CVE-2024-9379 is an SQL injection vulnerability in Ivanti Cloud Services Appliance (CSA) which allows authenticated attacker with admin privileges to run SQL statements.


CVE-2024-9380 is an OS command injection vulnerability in Ivanti Cloud Services Appliance (CSA) which allows authenticated attackers with admin privileges to perform remote code execution.


CVE-2024-9381 is a path traversal vulnerability in Ivanti Cloud Services Appliance (CSA) which allows authenticated attackers with admin privileges to bypass restrictions.


CVE-2024-8190 is an OS command injection vulnerability which allows authenticated attackers with admin privileges to perform remote code execution.

 

The following versions are affected:

  • Version < 4.6 Patch 519 is vulnerable to CVE-2024-8963
  • Version < 5.0.2 is vulnerable to CVE-2024-9379
  • Version < 5.0.2 is vulnerable to CVE-2024-9380
  • Version < 5.0.2 is vulnerable CVE-2024-9381
  • Version < 4.6 Patch 518 is vulnerable to CVE-2024-8190
CVE ID CVE-2024-9379 (https://nvd.nist.gov/vuln/detail/CVE-2024-9379)
CVE-2024-9380 (https://nvd.nist.gov/vuln/detail/CVE-2024-9380)
CVE-2024-9381 (https://nvd.nist.gov/vuln/detail/CVE-2024-9381)
CVE-2024-8963 (https://nvd.nist.gov/vuln/detail/CVE-2024-8963)
CVE-2024-8190 (https://nvd.nist.gov/vuln/detail/CVE-2024-8190)
NDR Cloud Detection Rule FortiNDR Cloud v25.1.e+
Detection Rule Name Category Primary MITRE ID
Attack: Ivanti Exploitation Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) Attack: Exploitation T1190 - Exploit Public-Facing Application
Playbook N/A
Threat Hunting FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Ivanti Cloud Services Appliance Zero-Day Attack” related activities.
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=ivanti%20csa%20zero-day%20attack
All IOCs listed above have been added to Threat Intelligence Intel.
Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2057138 -> ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-9380)

2056685 -> ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8963)

2055984 -> ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190)
Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:

https://www.fortiguard.com/outbreak-alert/ivanti-csa-zero-day-attack
Terms & ConditionsAccessibility statement