Help
FortiNDRCloud
SaaS based NDR solution providing 365 days data retention, along with Technical Success Manager
kcheung
Staff
Staff

Created on ‎04-10-2025 10:27 PM Edited on ‎04-11-2025 09:36 AM

Article Id 387198

FortiGuard Outbreak Alert: Ivanti Cloud Services Appliance Zero-Day Attack

Description

FortiGuard Incident Response (FGIR) service have seen campaigns involving various zero days targeting Ivanti Cloud Services Appliance (CSA) for initial access.


Threat actors are employing several Ivanti Cloud Services Appliance (CSA) zero days together to conduct RCE, credential access, and deploying web shells after gaining access.

 

CVE-2024-8963 is a path traversal vulnerability in Ivanti Cloud Services Appliance (CSA) which allows unauthenticated attackers to access restricted functionality.


CVE-2024-9379 is an SQL injection vulnerability in Ivanti Cloud Services Appliance (CSA) which allows authenticated attacker with admin privileges to run SQL statements.


CVE-2024-9380 is an OS command injection vulnerability in Ivanti Cloud Services Appliance (CSA) which allows authenticated attackers with admin privileges to perform remote code execution.


CVE-2024-9381 is a path traversal vulnerability in Ivanti Cloud Services Appliance (CSA) which allows authenticated attackers with admin privileges to bypass restrictions.


CVE-2024-8190 is an OS command injection vulnerability which allows authenticated attackers with admin privileges to perform remote code execution.

 

The following versions are affected:

  • Version < 4.6 Patch 519 is vulnerable to CVE-2024-8963
  • Version < 5.0.2 is vulnerable to CVE-2024-9379
  • Version < 5.0.2 is vulnerable to CVE-2024-9380
  • Version < 5.0.2 is vulnerable CVE-2024-9381
  • Version < 4.6 Patch 518 is vulnerable to CVE-2024-8190
CVE ID CVE-2024-9379 (https://nvd.nist.gov/vuln/detail/CVE-2024-9379)
CVE-2024-9380 (https://nvd.nist.gov/vuln/detail/CVE-2024-9380)
CVE-2024-9381 (https://nvd.nist.gov/vuln/detail/CVE-2024-9381)
CVE-2024-8963 (https://nvd.nist.gov/vuln/detail/CVE-2024-8963)
CVE-2024-8190 (https://nvd.nist.gov/vuln/detail/CVE-2024-8190)
NDR Cloud Detection Rule FortiNDR Cloud v25.1.e+
Detection Rule Name Category Primary MITRE ID
Attack: Ivanti Exploitation Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190, CVE-2024-8963, CVE-2024-9380) Attack: Exploitation T1190 - Exploit Public-Facing Application
Playbook N/A
Threat Hunting FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Ivanti Cloud Services Appliance Zero-Day Attack” related activities.
IOC source: https://www.fortiguard.com/outbreak-ioc?tag=ivanti%20csa%20zero-day%20attack
All IOCs listed above have been added to Threat Intelligence Intel.
Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:

2057138 -> ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-9380)

2056685 -> ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8963)

2055984 -> ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-8190)
Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:

https://www.fortiguard.com/outbreak-alert/ivanti-csa-zero-day-attack
215
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.