cbcvebase.
CVE-2024-8963
published 2024-09-19

CVE-2024-8963: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

PriorityP1100critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-10-10
Exploited in the wild
EPSS
98.56%
99.9th percentile
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivanticloud_services_appliance
ivantiendpoint_manager_cloud_services_appliance

Detection & IOCsextracted from sources · hover to see the quote

ip206.189.156.69
path/client/index.php
path/gsb/users.php
path/gsb/reports.php
path/gsb/DateTimeTab.php
path/gsb/datetime.php
path/opt/landesk/broker/broker.conf
path/backups
commandaiadmin
commandservices
url/client/index.php?%3F.php/../gsb/users.php
yara
php\w{6}
  • Look for path traversal patterns in web logs targeting /client/index.php with %3F.php injected in the URI, followed by traversal to /gsb/ resources such as users.php, reports.php, or datetime.php
  • Hunt for creation of unexpected administrative users (e.g., 'aiadmin', 'services') via the CSA dbtool utility, which indicates post-exploitation persistence
  • Review EDR/security software alerts and check for new or modified administrative users on CSA appliances as indicators of CVE-2024-8963 exploitation
  • Monitor for exploit chains: CVE-2024-8963 (path traversal) chained with CVE-2024-8190 (command injection) and/or CVE-2024-9380; also watch for CVE-2024-8963 chained with CVE-2024-9379 (SQL injection)
  • Hunt for webshells on compromised CSA appliances; filenames matching the pattern php followed by six alphanumeric characters (regex: php\w{6}) are indicative of attacker-planted webshells
  • Check for unauthorized access to /gsb/users.php via path traversal from /client/index.php in web server access logs, particularly from unauthenticated source IPs
  • Treat all credentials and sensitive data stored within affected Ivanti CSA appliances as compromised if exploitation is suspected
  • ·CVE-2024-8963 only affects Ivanti CSA version 4.6 patch 518 and earlier; the vulnerability was incidentally addressed in patch 519. CSA 5.0 is not affected.
  • ·Ivanti CSA 4.6 is End-of-Life; patch 519 (released 09/10/2024) is the last backported fix for this version. Migration to CSA 5.0.2 is strongly recommended.
  • ·Dual-homed CSA configurations with eth0 as an internal network significantly reduce the risk of exploitation by limiting external attacker access
  • ·Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.