CVE-2024-9381
published 2024-10-08CVE-2024-9381: Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
PriorityP277high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
15.65%
96.4th percentile
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | cloud_services_appliance | — | — |
| ivanti | endpoint_manager_cloud_services_appliance | < 5.0.2 | 5.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Check for new or modified admin users on CSA appliances as a sign of compromise via CVE-2024-9381 exploitation ↗
- →Review EDR or other security software alerts for exploitation attempts targeting Ivanti CSA ↗
- →CVE-2024-9381 is actively chained with CVE-2024-8963 (admin bypass), CVE-2024-9379 (SQL injection), and CVE-2024-9380 (command injection) — hunt for multi-stage exploitation sequences involving all four CVEs on CSA 4.6 patch 518 and prior ↗
- ·Exploitation of CVE-2024-9381 has only been observed in CSA 4.6 (end-of-life); no exploitation observed in CSA 5.0 versions ↗
- ·CVE-2024-9381 requires the attacker to be a remote authenticated user with admin privileges to exploit the path traversal ↗
- ·Active exploitation specifically targets CSA 4.6 patch 518 and prior when chained with CVE-2024-8963; standalone exploitation scope may differ ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3qx8-772m-x3f3: Path traversal in Ivanti CSA before version 5
ghsa_unreviewed·2024-10-08
CVE-2024-9381 [HIGH] CWE-22 GHSA-3qx8-772m-x3f3: Path traversal in Ivanti CSA before version 5
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
VulnCheck
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9379 [MEDIUM] CWE-89 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://harfang
VulnCheck
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
vulncheck·2024·CVSS 7.2
CVE-2024-8963 [HIGH] CWE-22 Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud
VulnCheck
Ivanti CSA Path Traversal Security Bypass Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9381 [MEDIUM] Ivanti CSA Path Traversal Security Bypass Vulnerability
Ivanti CSA Path Traversal Security Bypass Vulnerability
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
Affected: Ivanti CSA (Cloud Services Application)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://harfanglab.io/insidethelab/insights-ivanti-csa-exploitation/; https://www.fortiguard.com/outbreak-alert/ivanti-csa-zero-day-attack; https://images.global.fortinet.com/Web/FortinetInc2/%7B4e3646cf-fdb5-4c17-8bca-4f506f5
VulnCheck
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
vulncheck·2024·CVSS 6.5
CVE-2024-9380 [MEDIUM] CWE-77 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
Affected: Ivanti Cloud Services Appliance (CSA)
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https:
CISA
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
cisa·2024-10-09·CVSS 7.2
CVE-2024-9379 [HIGH] CWE-89 Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Vulnerability: Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
Affected: Ivanti Cloud Services Appliance (CSA)
Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9379
Remediation Due Date: 2024-10-30
CISA
Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
cisa·2024-10-09·CVSS 7.2
CVE-2024-9380 [HIGH] CWE-77 Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Vulnerability: Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability
Affected: Ivanti Cloud Services Appliance (CSA)
Ivanti Cloud Services Appliance (CSA) contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS.
Required Action: As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381 ; https://nvd.nist.gov/vuln/detail/CVE-2024-9380
Remediation Due Date: 2024-10-30
Ivanti
Ivanti CSA Path Traversal (2)
vendor_ivanti·CVSS 7.2
CVE-2024-9381 [HIGH] Ivanti CSA Path Traversal (2)
Ivanti CSA Path Traversal (2)
CVE IDs: CVE-2024-9381
Affected products: Cloud Services Appliance
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Ivanti warns of maximum severity CSA auth bypass vulnerability
blogs_bleepingcomputer·2024-12-10·CVSS 10.0
CVE-2024-11639 [CRITICAL] Ivanti warns of maximum severity CSA auth bypass vulnerability
## Ivanti warns of maximum severity CSA auth bypass vulnerability
## Sergiu Gatlan
Today, Ivanti warned customers about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution.
The security flaw (tracked as CVE-2024-11639 and reported by CrowdStrike's Advanced Research Team) enables remote attackers to gain administrative privileges on vulnerable appliances running Ivanti CSA 5.0.2 or earlier without requiring authentication or user interaction by circumventing authentication using an alternate path or channel.
Ivanti advises admins to upgrade vulnerable appliances to CSA 5.0.3 using detailed information available in this support document .
"We are not aware of any customers being exploited by these vulnerabilities prior to public disc
Bleepingcomputer
Ivanti warns of three more CSA zero-days exploited in attacks
blogs_bleepingcomputer·2024-10-08·CVSS 7.2
[HIGH] Ivanti warns of three more CSA zero-days exploited in attacks
## Ivanti warns of three more CSA zero-days exploited in attacks
## Sergiu Gatlan
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks.
As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September .
Successful exploitation of these vulnerabilities can let remote attackers run SQL statements via SQL injection, execute arbitrary code via command injection, and bypass security restrictions by abusing a path traversal weakness on vulnerable CSA gateways (used to provide enterprise users secure access to internal network resources).
"We are aware of a limited number of customers running CSA 4.6 patch 518 and prior wh
Bugzilla
CVE-2024-36906 kernel: ARM: 9381/1: kasan: clear stale stack poison
bugzilla·2024-06-03·CVSS 7.8
CVE-2024-36906 [HIGH] CVE-2024-36906 kernel: ARM: 9381/1: kasan: clear stale stack poison
CVE-2024-36906 kernel: ARM: 9381/1: kasan: clear stale stack poison
In the Linux kernel, the following vulnerability has been resolved:
ARM: 9381/1: kasan: clear stale stack poison
The Linux kernel CVE team has assigned CVE-2024-36906 to this issue.
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024053036-CVE-2024-36906-736b@gregkh/T
Discussion:
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2284538]
---
The result of automatic check (that is developed by Alexander Larkin) for this CVE-2024-36906 is: SKIP No affected files built, so skip this CVE NO - - unknown (where first YES/NO value means if related sources built).
2024-10-08
Published
Exploited in the wild