cbcvebase.
CVE-2024-9380
published 2024-10-08

CVE-2024-9380: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges…

PriorityP183high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-10-30
Exploited in the wild
EPSS
62.99%
99.1th percentile
An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivanticsa_os
ivantiendpoint_manager_cloud_services_appliance< 5.0.25.0.2

Detection & IOCsextracted from sources · hover to see the quote

path/gsb/reports.php
path/opt/landesk/broker/broker.conf
path/backups
  • Look for exploitation of CVE-2024-9380 chained with CVE-2024-8963 (path traversal on /client/index.php) — the path traversal is used first to reach /gsb/reports.php before the command injection is triggered
  • Detect rogue admin user creation on CSA appliances — threat actors created users named 'aiadmin' and 'services' via the dbtool utility to maintain persistent access
  • Hunt for webshell files matching the regex php\w{6} (string 'php' followed by exactly six alphanumeric characters) dropped on the CSA appliance filesystem
  • Monitor POST requests to /gsb/DateTimeTab.php with a TIMEZONE parameter containing base64-encoded payloads, indicative of CVE-2024-8190 command injection used in conjunction with CVE-2024-9380
  • Alert on new or modified admin users in the CSA management console as a sign of compromise
  • Detect malformed URL requests to /client/index.php containing %3F.php in the URI, which is the path traversal technique used to pivot to restricted PHP resources
  • Hunt for lateral movement from the CSA appliance to internal servers — in at least one confirmed compromise actors moved laterally to two servers after gaining initial access
  • Treat all credentials and sensitive data stored within affected Ivanti CSA appliances as compromised and rotate them
  • ·CVE-2024-9380 only affects CSA versions prior to 5.0.2; CSA 5.0 instances have not been observed as exploited
  • ·CVE-2024-9380 requires the attacker to already be authenticated as an admin; it is typically chained with CVE-2024-8963 (path traversal) to first obtain or bypass authentication
  • ·CSA 4.6 is end-of-life and will receive no further patches; detections targeting this version should account for the absence of vendor-supplied mitigations

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.