cbcvebase.
CVE-2024-9379
published 2024-10-08

CVE-2024-9379: SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL…

PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-10-30
Exploited in the wild
EPSS
43.58%
98.6th percentile
SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivanticsa
ivantiendpoint_manager_cloud_services_appliance< 5.0.25.0.2

Detection & IOCsextracted from sources · hover to see the quote

  • Look for new or modified admin users on CSA appliances as a sign of compromise via CVE-2024-9379 exploitation
  • Review EDR or other security software alerts for exploitation attempts targeting Ivanti CSA admin web console SQL injection
  • Hunt for webshells implanted on Ivanti CSA appliances as a post-exploitation artifact of CVE-2024-9379 chained attacks
  • Detect exploit chain: CVE-2024-8963 (admin bypass) combined with CVE-2024-9379 (SQL injection) as one of the two primary attack paths observed in confirmed compromises
  • Monitor for lateral movement from compromised Ivanti CSA appliances to internal servers, as observed in at least one confirmed incident
  • Check Point IPS signature available for detection: 'Ivanti Cloud Services Appliance SQL Injection (CVE-2024-9379)'
  • ·Exploitation has only been observed against CSA 4.6 patch 518 and prior; no exploitation observed in any version of CSA 5.0
  • ·CVE-2024-9379 requires the attacker to be authenticated as an administrator; it is not exploitable by unauthenticated users alone — it is chained with CVE-2024-8963 (admin bypass) to achieve pre-auth impact
  • ·CSA 4.6.x is end-of-life and will receive no further patches; the vulnerability is fixed in CSA 5.0.2

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.