Fri Sep 20 07:09:40 UTC 2024: ## Ivanti Warns of Actively Exploited Cloud Services Appliance Flaw

**Washington D.C. -** Software giant Ivanti has issued a warning about a critical vulnerability in its Cloud Services Appliance (CSA) product, actively being exploited by attackers. The flaw, tracked as CVE-2024-8963 (CVSS score of 9.4), is a path traversal issue that could allow a remote, unauthenticated attacker to gain access to restricted functionality.

This vulnerability, discovered during investigations into a previously disclosed flaw (CVE-2024-8190), can be chained together to bypass administrative authentication and potentially execute arbitrary commands on the appliance.

Ivanti emphasizes that this vulnerability affects CSA 4.6, which is an end-of-life product no longer receiving updates. Customers are urged to upgrade to CSA 5.0 for continued support and security.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-8963 and CVE-2024-8190 to its Known Exploited Vulnerabilities (KEV) catalog. As per Binding Operational Directive (BOD) 22-01, federal agencies are mandated to address these vulnerabilities by October 10th, 2024, to mitigate the risk of attacks exploiting these flaws.

Organizations are encouraged to review the KEV catalog and patch their systems accordingly to protect against these vulnerabilities.

Read More