cbcvebase.
CVE-2024-9381
published 2024-10-08

CVE-2024-9381: Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

PriorityP277high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
15.65%
96.4th percentile
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivanticloud_services_appliance
ivantiendpoint_manager_cloud_services_appliance< 5.0.25.0.2

Detection & IOCsextracted from sources · hover to see the quote

  • Check for new or modified admin users on CSA appliances as a sign of compromise via CVE-2024-9381 exploitation
  • Review EDR or other security software alerts for exploitation attempts targeting Ivanti CSA
  • CVE-2024-9381 is actively chained with CVE-2024-8963 (admin bypass), CVE-2024-9379 (SQL injection), and CVE-2024-9380 (command injection) — hunt for multi-stage exploitation sequences involving all four CVEs on CSA 4.6 patch 518 and prior
  • ·Exploitation of CVE-2024-9381 has only been observed in CSA 4.6 (end-of-life); no exploitation observed in CSA 5.0 versions
  • ·CVE-2024-9381 requires the attacker to be a remote authenticated user with admin privileges to exploit the path traversal
  • ·Active exploitation specifically targets CSA 4.6 patch 518 and prior when chained with CVE-2024-8963; standalone exploitation scope may differ

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.