CVE-2024-8963
published 2024-09-19CVE-2024-8963: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
PriorityP1100critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-10-10
Exploited in the wild
EPSS
98.56%
99.9th percentile
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | cloud_services_appliance | — | — |
| ivanti | endpoint_manager_cloud_services_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
php\w{6}- →Look for path traversal patterns in web logs targeting /client/index.php with %3F.php injected in the URI, followed by traversal to /gsb/ resources such as users.php, reports.php, or datetime.php ↗
- →Hunt for creation of unexpected administrative users (e.g., 'aiadmin', 'services') via the CSA dbtool utility, which indicates post-exploitation persistence ↗
- →Review EDR/security software alerts and check for new or modified administrative users on CSA appliances as indicators of CVE-2024-8963 exploitation ↗
- →Monitor for exploit chains: CVE-2024-8963 (path traversal) chained with CVE-2024-8190 (command injection) and/or CVE-2024-9380; also watch for CVE-2024-8963 chained with CVE-2024-9379 (SQL injection) ↗
- →Hunt for webshells on compromised CSA appliances; filenames matching the pattern php followed by six alphanumeric characters (regex: php\w{6}) are indicative of attacker-planted webshells ↗
- →Check for unauthorized access to /gsb/users.php via path traversal from /client/index.php in web server access logs, particularly from unauthenticated source IPs ↗
- →Treat all credentials and sensitive data stored within affected Ivanti CSA appliances as compromised if exploitation is suspected ↗
- ·CVE-2024-8963 only affects Ivanti CSA version 4.6 patch 518 and earlier; the vulnerability was incidentally addressed in patch 519. CSA 5.0 is not affected. ↗
- ·Ivanti CSA 4.6 is End-of-Life; patch 519 (released 09/10/2024) is the last backported fix for this version. Migration to CSA 5.0.2 is strongly recommended. ↗
- ·Dual-homed CSA configurations with eth0 as an internal network significantly reduce the risk of exploitation by limiting external attacker access ↗
- ·Additionally, it is important for customers to know that we have not observed exploitation of these vulnerabilities in any version of CSA 5.0 ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w7rx-cmpf-jrpp: Path Traversal in the Ivanti CSA before 4
ghsa_unreviewed·2024-09-19
CVE-2024-8963 [CRITICAL] CWE-22 GHSA-w7rx-cmpf-jrpp: Path Traversal in the Ivanti CSA before 4
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
VulnCheck
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
vulncheck·2024·CVSS 7.2
CVE-2024-8963 [HIGH] CWE-22 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud
Ivanti
Ivanti CSA Path Traversal
vendor_ivanti·2024-09-19·CVSS 9.4
CVE-2024-8963 [HIGH] Ivanti CSA Path Traversal
Ivanti CSA Path Traversal
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
CVE IDs: CVE-2024-8963
Affected products: Cloud Services Appliance
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.
Remediation Due Date: 2024-10-10
CISA
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
cisa·2024-09-19·CVSS 7.2
CVE-2024-8963 [HIGH] CWE-22 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Vulnerability: Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Affected: Ivanti Cloud Services Appliance (CSA)
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
Required Action: As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Ser
Suricata
ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8963)
suricata·2024-10-15·CVSS 7.2
CVE-2024-8190 [HIGH] ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8963)
ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8963)
Rule: alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8963)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|client|2f|index|2e|php|3f 2e|php|2f|gsb|2f|"; startswith; fast_pattern; content:"|2e|php"; endswith; reference:cve,2024-8190; reference:url,fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa; reference:url,forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190; classtype:attempted-admin; sid:2056685; rev:1; metadata:affected_product Ivanti, created_at 2024_10_15, cve C
Nuclei
Ivanti Cloud Services Appliance - Path Traversal
nuclei·CVSS 9.1
CVE-2024-8963 [CRITICAL] Ivanti Cloud Services Appliance - Path Traversal
Ivanti Cloud Services Appliance - Path Traversal
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Template:
id: CVE-2024-8963
info:
name: Ivanti Cloud Services Appliance - Path Traversal
author: johnk3r
severity: critical
description: |
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
impact: |
Unauthenticated attackers can exploit path traversal to access restricted administrative functionality, potentially gaining unauthorized control of the Ivanti Cloud Services Appliance and accessing sensitive user management features.
remediation: |
Update Ivanti Cloud Services Appliance to version 4.6 Patch 519 or later to address the
Wiz
Crying Out Cloud Newsletter - August 2025 | Wiz
blogs_wiz·2025-08-10·CVSS 9.0
[CRITICAL] Crying Out Cloud Newsletter - August 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
## 🔍 Highlights
## Soco404 Cryptomining Campaign Exploits PostgreSQL and Cloud Misconfigurations
Wiz Research has uncovered the Soco404 campaign. A sophisticated, multi-platform cryptomining operation targeting cloud environments through exposed PostgreSQL instances, vulnerable Apache Tomcat servers, and other misconfigurations. The campaign delivers Linux and Windows payloads via fake 404 error pages embedded with base64 malware hosted on compromised or deceptive websites, including Google Sites and fraudulent crypto platforms. The attackers use a
Sentinelone
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
blogs_sentinelone·2025-06-09
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
## Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
## Executive Summary
In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze.
At the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad operation. The affected organization was responsible for managing hardware logistics for SentinelOne employees at the time.
A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities.
The PurpleHaze and ShadowPad activity clusters span multiple partially related intru
Sentinelone
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
blogs_sentinelone·2025-06-09
Follow the Smoke | China-nexus Threat Actors Hammer At the Doors of Top Tier Targets
## Executive Summary
- In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze.
- At the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad operation. The affected organization was responsible for managing hardware logistics for SentinelOne employees at the time.
- A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities.
- The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025. The victimo
Checkpoint
27th January – Threat Intelligence Report
blogs_checkpoint·2025-01-27
CVE-2024-8963 27th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th January – Threat Intelligence Report
Stark Aerospace, a US-based manufacturer specializing in missile systems and UAVs, contractor of the US Military and the Department of Defense (DoD), has been targeted by the INC ransomware group. The attackers claim to have exfiltrated 4TB of data, including design documentation, source codes, firmware for various UAVs, contracts with the DoD, supply chain information, and personal data of company instructors.
Check Point Threat Emulation and Harmony Endpoint provide pr
Bleepingcomputer
CISA: Hackers still exploiting older Ivanti bugs to breach networks
blogs_bleepingcomputer·2025-01-23·CVSS 7.2
CVE-2024-8963 [HIGH] CISA: Hackers still exploiting older Ivanti bugs to breach networks
## CISA: Hackers still exploiting older Ivanti bugs to breach networks
## Sergiu Gatlan
CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.
The vulnerabilities chained in these attacks include CVE-2024-8963 (an admin authentication bypass patched in September ) and CVE-2024-8190 (a remote code execution bug patched the same month ). Two other bugs, CVE-2024-9379 (an SQL injection) and CVE-2024-9380 (a remote code execution vulnerability), were both addressed in October .
All four bugs have been tagged as exploited in zero-day attacks before. CISA added them to its Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies t
Bleepingcomputer
Ivanti warns of maximum severity CSA auth bypass vulnerability
blogs_bleepingcomputer·2024-12-10·CVSS 10.0
CVE-2024-11639 [CRITICAL] Ivanti warns of maximum severity CSA auth bypass vulnerability
## Ivanti warns of maximum severity CSA auth bypass vulnerability
## Sergiu Gatlan
Today, Ivanti warned customers about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution.
The security flaw (tracked as CVE-2024-11639 and reported by CrowdStrike's Advanced Research Team) enables remote attackers to gain administrative privileges on vulnerable appliances running Ivanti CSA 5.0.2 or earlier without requiring authentication or user interaction by circumventing authentication using an alternate path or channel.
Ivanti advises admins to upgrade vulnerable appliances to CSA 5.0.3 using detailed information available in this support document .
"We are not aware of any customers being exploited by these vulnerabilities prior to public disc
Wiz
Crying Out Cloud - November 2024 Newsletter | Wiz
blogs_wiz·2024-11-01·CVSS 7.2
[HIGH] Crying Out Cloud - November 2024 Newsletter | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Supply Chain Attack on lottie-player
On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
Fortinet
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
blogs_fortinet·2024-10-11·CVSS 7.2
[HIGH] Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
Background
Vulnerabilities Overview and Disclosure
Vulnerabilities Details
Other Findings
Conclusion
Fortinet Protections
MITRE Mapping
IOCs
Network Based Indicators
Host Based Indicators
By Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans and Robert Reyes | October 11, 2024
Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appli
Bleepingcomputer
Ivanti warns of three more CSA zero-days exploited in attacks
blogs_bleepingcomputer·2024-10-08·CVSS 7.2
[HIGH] Ivanti warns of three more CSA zero-days exploited in attacks
## Ivanti warns of three more CSA zero-days exploited in attacks
## Sergiu Gatlan
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks.
As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September .
Successful exploitation of these vulnerabilities can let remote attackers run SQL statements via SQL injection, execute arbitrary code via command injection, and bypass security restrictions by abusing a path traversal weakness on vulnerable CSA gateways (used to provide enterprise users secure access to internal network resources).
"We are aware of a limited number of customers running CSA 4.6 patch 518 and prior wh
Wiz
Crying Out Cloud - October 2024 Newsletter | Wiz
blogs_wiz·2024-10-01·CVSS 9.0
CVE-2024-0132 [CRITICAL] Crying Out Cloud - October 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected package to the latest version 1.16.2, while focusing on container hosts that might run untrusted container images.
According to Wiz data, 33% of cloud environments are impacted by CVE-2024-0132.
Learn more in our blog .
## 🐞 High Profile Vulnerab
Bleepingcomputer
Ivanti warns of another critical CSA flaw exploited in attacks
blogs_bleepingcomputer·2024-09-19·CVSS 7.2
CVE-2024-8963 [HIGH] Ivanti warns of another critical CSA flaw exploited in attacks
## Ivanti warns of another critical CSA flaw exploited in attacks
## Sergiu Gatlan
Today, Ivanti warned that threat actors are exploiting another Cloud Services Appliance (CSA) security flaw in attacks targeting a limited number of customers.
Tracked as CVE-2024-8963 , this admin bypass vulnerability is caused by a path traversal weakness. Successful exploitation allows remote unauthenticated attackers to access restricted functionality on vulnerable CSA systems (used as gateways to provide enterprise users secure access to internal network resources).
Attackers are using exploits that chain CVE-2024-8963 with CVE-2024-8190 — a high-severity CSA command injection bug fixed last and tagged as actively exploited on Friday — to bypass admin authentication and execute arbitrary commands on
Greynoiseio
NoiseLetter March 2025
blogs_greynoiseio
NoiseLetter March 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-09-19
Published
2024-09-19
Added to CISA KEV
Exploited in the wild