CVE-2024-9380
published 2024-10-08CVE-2024-9380: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges…
PriorityP183high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-10-30
Exploited in the wild
EPSS
62.99%
99.1th percentile
An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | csa_os | — | — |
| ivanti | endpoint_manager_cloud_services_appliance | < 5.0.2 | 5.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for exploitation of CVE-2024-9380 chained with CVE-2024-8963 (path traversal on /client/index.php) — the path traversal is used first to reach /gsb/reports.php before the command injection is triggered ↗
- →Detect rogue admin user creation on CSA appliances — threat actors created users named 'aiadmin' and 'services' via the dbtool utility to maintain persistent access ↗
- →Hunt for webshell files matching the regex php\w{6} (string 'php' followed by exactly six alphanumeric characters) dropped on the CSA appliance filesystem ↗
- →Monitor POST requests to /gsb/DateTimeTab.php with a TIMEZONE parameter containing base64-encoded payloads, indicative of CVE-2024-8190 command injection used in conjunction with CVE-2024-9380 ↗
- →Alert on new or modified admin users in the CSA management console as a sign of compromise ↗
- →Detect malformed URL requests to /client/index.php containing %3F.php in the URI, which is the path traversal technique used to pivot to restricted PHP resources ↗
- →Hunt for lateral movement from the CSA appliance to internal servers — in at least one confirmed compromise actors moved laterally to two servers after gaining initial access ↗
- →Treat all credentials and sensitive data stored within affected Ivanti CSA appliances as compromised and rotate them ↗
- ·CVE-2024-9380 only affects CSA versions prior to 5.0.2; CSA 5.0 instances have not been observed as exploited ↗
- ·CVE-2024-9380 requires the attacker to already be authenticated as an admin; it is typically chained with CVE-2024-8963 (path traversal) to first obtain or bypass authentication ↗
- ·CSA 4.6 is end-of-life and will receive no further patches; detections targeting this version should account for the absence of vendor-supplied mitigations ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v7hg-q674-723g: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5
ghsa_unreviewed·2024-10-08
CVE-2024-9380 [HIGH] CWE-77 GHSA-v7hg-q674-723g: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5
An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.
VulnCheck
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9379 [MEDIUM] CWE-89 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://harfang
VulnCheck
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
vulncheck·2024·CVSS 7.2
CVE-2024-8963 [HIGH] CWE-22 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud
VulnCheck
Ivanti CSA Path Traversal Security Bypass Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9381 [MEDIUM] Ivanti CSA Path Traversal Security Bypass Vulnerability
Ivanti CSA Path Traversal Security Bypass Vulnerability
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
Affected: Ivanti CSA (Cloud Services Application)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://harfanglab.io/insidethelab/insights-ivanti-csa-exploitation/; https://www.fortiguard.com/outbreak-alert/ivanti-csa-zero-day-attack; https://images.global.fortinet.com/Web/FortinetInc2/%7B4e3646cf-fdb5-4c17-8bca-4f506f5
VulnCheck
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9380 [MEDIUM] CWE-77 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https:
CISA
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
cisa·2024-10-09·CVSS 7.2
CVE-2024-9379 [HIGH] CWE-89 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Vulnerability: Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Affected: Ivanti Cloud Services Appliance (CSA)
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9379
Remediation Due Date: 2024-10-30
CISA
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
cisa·2024-10-09·CVSS 7.2
CVE-2024-9380 [HIGH] CWE-77 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Vulnerability: Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Affected: Ivanti Cloud Services Appliance (CSA)
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9380
Remediation Due Date: 2024-10-30
Ivanti
Ivanti CSA OS Command Injection
vendor_ivanti·2024-10-09·CVSS 7.2
CVE-2024-9380 [HIGH] Ivanti CSA OS Command Injection
Ivanti CSA OS Command Injection
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
CVE IDs: CVE-2024-9380
Affected products: Cloud Services Appliance
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Remediation Due Date: 2024-10-30
Suricata
ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-9380)
suricata·2024-10-29·CVSS 7.2
CVE-2024-9380 [HIGH] ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-9380)
ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-9380)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Cloud Service Appliance Authenticated Command Injection (CVE-2024-9380)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:16; content:"/gsb/reports.php"; fast_pattern; http.request_body; content:"TW_ID|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-9380; reference:url,www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa; classtype:attempted-admin; sid:2057138; rev:1; metadata:affected_product Ivanti, attack_target Networking_Equipment, tls_state TLSDecrypt, cre
No public exploits indexed.
Wiz
Crying Out Cloud Newsletter - August 2025 | Wiz
blogs_wiz·2025-08-10·CVSS 9.0
[CRITICAL] Crying Out Cloud Newsletter - August 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
## 🔍 Highlights
## Soco404 Cryptomining Campaign Exploits PostgreSQL and Cloud Misconfigurations
Wiz Research has uncovered the Soco404 campaign. A sophisticated, multi-platform cryptomining operation targeting cloud environments through exposed PostgreSQL instances, vulnerable Apache Tomcat servers, and other misconfigurations. The campaign delivers Linux and Windows payloads via fake 404 error pages embedded with base64 malware hosted on compromised or deceptive websites, including Google Sites and fraudulent crypto platforms. The attackers use a
Checkpoint
27th January – Threat Intelligence Report
blogs_checkpoint·2025-01-27
CVE-2024-8963 27th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th January – Threat Intelligence Report
Stark Aerospace, a US-based manufacturer specializing in missile systems and UAVs, contractor of the US Military and the Department of Defense (DoD), has been targeted by the INC ransomware group. The attackers claim to have exfiltrated 4TB of data, including design documentation, source codes, firmware for various UAVs, contracts with the DoD, supply chain information, and personal data of company instructors.
Check Point Threat Emulation and Harmony Endpoint provide pr
Bleepingcomputer
CISA: Hackers still exploiting older Ivanti bugs to breach networks
blogs_bleepingcomputer·2025-01-23·CVSS 7.2
CVE-2024-8963 [HIGH] CISA: Hackers still exploiting older Ivanti bugs to breach networks
## CISA: Hackers still exploiting older Ivanti bugs to breach networks
## Sergiu Gatlan
CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.
The vulnerabilities chained in these attacks include CVE-2024-8963 (an admin authentication bypass patched in September ) and CVE-2024-8190 (a remote code execution bug patched the same month ). Two other bugs, CVE-2024-9379 (an SQL injection) and CVE-2024-9380 (a remote code execution vulnerability), were both addressed in October .
All four bugs have been tagged as exploited in zero-day attacks before. CISA added them to its Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies t
Bleepingcomputer
Ivanti warns of maximum severity CSA auth bypass vulnerability
blogs_bleepingcomputer·2024-12-10·CVSS 10.0
CVE-2024-11639 [CRITICAL] Ivanti warns of maximum severity CSA auth bypass vulnerability
## Ivanti warns of maximum severity CSA auth bypass vulnerability
## Sergiu Gatlan
Today, Ivanti warned customers about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution.
The security flaw (tracked as CVE-2024-11639 and reported by CrowdStrike's Advanced Research Team) enables remote attackers to gain administrative privileges on vulnerable appliances running Ivanti CSA 5.0.2 or earlier without requiring authentication or user interaction by circumventing authentication using an alternate path or channel.
Ivanti advises admins to upgrade vulnerable appliances to CSA 5.0.3 using detailed information available in this support document .
"We are not aware of any customers being exploited by these vulnerabilities prior to public disc
Wiz
Crying Out Cloud - November 2024 Newsletter | Wiz
blogs_wiz·2024-11-01·CVSS 7.2
[HIGH] Crying Out Cloud - November 2024 Newsletter | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Supply Chain Attack on lottie-player
On October 30, 2024, a supply chain attack was initiated against the popular JavaScript library lottie-player, injecting malicious code that populates a Web3 wallet connection prompt on legitimate websites using the library, potentially targeting prominent cryptocurrency platforms and other high-traffic websites. The compromised versions of lottie-player were later removed from major CDNs and npm, but websites still using compromised versions of the library remain affected.
Fortinet
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
blogs_fortinet·2024-10-11·CVSS 7.2
[HIGH] Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA
Background
Vulnerabilities Overview and Disclosure
Vulnerabilities Details
Other Findings
Conclusion
Fortinet Protections
MITRE Mapping
IOCs
Network Based Indicators
Host Based Indicators
By Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans and Robert Reyes | October 11, 2024
Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appli
Bleepingcomputer
Ivanti warns of three more CSA zero-days exploited in attacks
blogs_bleepingcomputer·2024-10-08·CVSS 7.2
[HIGH] Ivanti warns of three more CSA zero-days exploited in attacks
## Ivanti warns of three more CSA zero-days exploited in attacks
## Sergiu Gatlan
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks.
As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September .
Successful exploitation of these vulnerabilities can let remote attackers run SQL statements via SQL injection, execute arbitrary code via command injection, and bypass security restrictions by abusing a path traversal weakness on vulnerable CSA gateways (used to provide enterprise users secure access to internal network resources).
"We are aware of a limited number of customers running CSA 4.6 patch 518 and prior wh
2024-10-08
Published
2024-10-09
Added to CISA KEV
Exploited in the wild