cbcvebase.
CVE-2024-8190
published 2024-09-10

CVE-2024-8190: An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain…

PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-10-04
Exploited in the wild
EPSS
88.95%
99.8th percentile
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivanticloud_services_appliance
ivanticloud_services_appliance
ivanticloud_services_appliance_os

Detection & IOCsextracted from sources · hover to see the quote

ip206.189.156.69
path/client/index.php
path/opt/landesk/broker/broker.conf
path/backups
commandPOST to /gsb/DateTimeTab.php with malicious TIMEZONE parameter containing base64-encoded Python payload
otherrogue users: aiadmin and services created via dbtool
otherfilename regex: php\w{6} (php followed by six alphanumeric characters)
  • Detect exploitation of CVE-2024-8190 by monitoring POST requests to /gsb/DateTimeTab.php with anomalous or base64-encoded content in the TIMEZONE parameter.
  • Detect chained exploitation by monitoring for path traversal requests to /client/index.php containing %3F.php followed by appended internal resource paths (e.g., /gsb/users.php, /gsb/datetime.php).
  • Alert on creation of new or modified administrative users on CSA appliances, especially accounts named 'aiadmin' or 'services' created via the dbtool utility.
  • Monitor for outbound connections from CSA appliances to unexpected external IPs; the initial malicious C2 observed was 206.189.156.69.
  • Review EDR alerts and check for new or modified admin users on CSA appliances as indicators of exploitation attempts chaining CVE-2024-8963 with CVE-2024-8190.
  • Hunt for web shell files on CSA appliances matching the pattern php followed by exactly six alphanumeric characters, as the attacker's payload specifically searched for and modified permissions on such files.
  • ·CVE-2024-8190 requires admin-level authentication to exploit; however, attackers chain it with the unauthenticated path traversal CVE-2024-8963 to first bypass authentication, making the effective attack unauthenticated in chained scenarios.
  • ·CVE-2024-8190 only affects CSA 4.6 (end-of-life); CSA 5.0 is not affected. The fix for 4.6 (patch 519) is the last backport Ivanti will provide for that version.
  • ·Dual-homed CSA configurations with eth0 as an internal network significantly reduce exploitation risk by limiting external access to the management interface.
  • ·A PoC exploit for CVE-2024-8190 was publicly released by Horizon3.ai on September 16, 2024, increasing the risk of broader exploitation beyond the initial nation-state actor.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.