CVE-2024-9379
published 2024-10-08CVE-2024-9379: SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL…
PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-10-30
Exploited in the wild
EPSS
43.58%
98.6th percentile
SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | csa | — | — |
| ivanti | endpoint_manager_cloud_services_appliance | < 5.0.2 | 5.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for new or modified admin users on CSA appliances as a sign of compromise via CVE-2024-9379 exploitation ↗
- →Review EDR or other security software alerts for exploitation attempts targeting Ivanti CSA admin web console SQL injection ↗
- →Hunt for webshells implanted on Ivanti CSA appliances as a post-exploitation artifact of CVE-2024-9379 chained attacks ↗
- →Detect exploit chain: CVE-2024-8963 (admin bypass) combined with CVE-2024-9379 (SQL injection) as one of the two primary attack paths observed in confirmed compromises ↗
- →Monitor for lateral movement from compromised Ivanti CSA appliances to internal servers, as observed in at least one confirmed incident ↗
- →Check Point IPS signature available for detection: 'Ivanti Cloud Services Appliance SQL Injection (CVE-2024-9379)' ↗
- ·Exploitation has only been observed against CSA 4.6 patch 518 and prior; no exploitation observed in any version of CSA 5.0 ↗
- ·CVE-2024-9379 requires the attacker to be authenticated as an administrator; it is not exploitable by unauthenticated users alone — it is chained with CVE-2024-8963 (admin bypass) to achieve pre-auth impact ↗
- ·CSA 4.6.x is end-of-life and will receive no further patches; the vulnerability is fixed in CSA 5.0.2 ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cp43-973g-2qqg: SQL injection in the admin web console of Ivanti CSA before version 5
ghsa_unreviewed·2024-10-08
CVE-2024-9379 [MEDIUM] CWE-89 GHSA-cp43-973g-2qqg: SQL injection in the admin web console of Ivanti CSA before version 5
SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
VulnCheck
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9379 [MEDIUM] CWE-89 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://harfang
VulnCheck
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
vulncheck·2024·CVSS 7.2
CVE-2024-8963 [HIGH] CWE-22 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud
VulnCheck
Ivanti CSA Path Traversal Security Bypass Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9381 [MEDIUM] Ivanti CSA Path Traversal Security Bypass Vulnerability
Ivanti CSA Path Traversal Security Bypass Vulnerability
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
Affected: Ivanti CSA (Cloud Services Application)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://harfanglab.io/insidethelab/insights-ivanti-csa-exploitation/; https://www.fortiguard.com/outbreak-alert/ivanti-csa-zero-day-attack; https://images.global.fortinet.com/Web/FortinetInc2/%7B4e3646cf-fdb5-4c17-8bca-4f506f5
VulnCheck
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9380 [MEDIUM] CWE-77 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https:
CISA
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
cisa·2024-10-09·CVSS 7.2
CVE-2024-9379 [HIGH] CWE-89 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Vulnerability: Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Affected: Ivanti Cloud Services Appliance (CSA)
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9379
Remediation Due Date: 2024-10-30
CISA
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
cisa·2024-10-09·CVSS 7.2
CVE-2024-9380 [HIGH] CWE-77 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Vulnerability: Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Affected: Ivanti Cloud Services Appliance (CSA)
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9380
Remediation Due Date: 2024-10-30
Ivanti
Ivanti CSA SQL Injection
vendor_ivanti·2024-10-09·CVSS 6.5
CVE-2024-9379 [MEDIUM] Ivanti CSA SQL Injection
Ivanti CSA SQL Injection
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
CVE IDs: CVE-2024-9379
Affected products: Cloud Services Appliance
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Remediation Due Date: 2024-10-30
No detection rules found.
No public exploits indexed.
Checkpoint
27th January – Threat Intelligence Report
blogs_checkpoint·2025-01-27
CVE-2024-8963 27th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th January – Threat Intelligence Report
Stark Aerospace, a US-based manufacturer specializing in missile systems and UAVs, contractor of the US Military and the Department of Defense (DoD), has been targeted by the INC ransomware group. The attackers claim to have exfiltrated 4TB of data, including design documentation, source codes, firmware for various UAVs, contracts with the DoD, supply chain information, and personal data of company instructors.
Check Point Threat Emulation and Harmony Endpoint provide pr
Bleepingcomputer
CISA: Hackers still exploiting older Ivanti bugs to breach networks
blogs_bleepingcomputer·2025-01-23·CVSS 7.2
CVE-2024-8963 [HIGH] CISA: Hackers still exploiting older Ivanti bugs to breach networks
## CISA: Hackers still exploiting older Ivanti bugs to breach networks
## Sergiu Gatlan
CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.
The vulnerabilities chained in these attacks include CVE-2024-8963 (an admin authentication bypass patched in September ) and CVE-2024-8190 (a remote code execution bug patched the same month ). Two other bugs, CVE-2024-9379 (an SQL injection) and CVE-2024-9380 (a remote code execution vulnerability), were both addressed in October .
All four bugs have been tagged as exploited in zero-day attacks before. CISA added them to its Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies t
Bleepingcomputer
Ivanti warns of maximum severity CSA auth bypass vulnerability
blogs_bleepingcomputer·2024-12-10·CVSS 10.0
CVE-2024-11639 [CRITICAL] Ivanti warns of maximum severity CSA auth bypass vulnerability
## Ivanti warns of maximum severity CSA auth bypass vulnerability
## Sergiu Gatlan
Today, Ivanti warned customers about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution.
The security flaw (tracked as CVE-2024-11639 and reported by CrowdStrike's Advanced Research Team) enables remote attackers to gain administrative privileges on vulnerable appliances running Ivanti CSA 5.0.2 or earlier without requiring authentication or user interaction by circumventing authentication using an alternate path or channel.
Ivanti advises admins to upgrade vulnerable appliances to CSA 5.0.3 using detailed information available in this support document .
"We are not aware of any customers being exploited by these vulnerabilities prior to public disc
Bleepingcomputer
Ivanti warns of three more CSA zero-days exploited in attacks
blogs_bleepingcomputer·2024-10-08·CVSS 7.2
[HIGH] Ivanti warns of three more CSA zero-days exploited in attacks
## Ivanti warns of three more CSA zero-days exploited in attacks
## Sergiu Gatlan
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks.
As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September .
Successful exploitation of these vulnerabilities can let remote attackers run SQL statements via SQL injection, execute arbitrary code via command injection, and bypass security restrictions by abusing a path traversal weakness on vulnerable CSA gateways (used to provide enterprise users secure access to internal network resources).
"We are aware of a limited number of customers running CSA 4.6 patch 518 and prior wh
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-10-08
Published
2024-10-09
Added to CISA KEV
Exploited in the wild