Unknown entities resort to leveraging a second vulnerability in the Ivanti Cloud Service Appliance, seeking expanded privileges.
A critical path traversal and administrative bypass vulnerability (CVE-2024-8963) in Ivanti's Cloud Service Appliance (CSA) has been actively exploited since September 2024 by sophisticated threat actors, including Chinese state-sponsored groups. This vulnerability, combined with other exploits such as CVE-2024-9380 and CVE-2024-8190, has allowed hackers to gain unauthorized administrative access, execute remote code, steal credentials, implant web shells, and maintain persistence on victim networks, including French government agencies and other high-value targets worldwide.
### Key Details
Threat actors have deployed PHP web shells, modified PHP scripts for backdoors, installed kernel rootkits, and used open-source and custom tools to maintain stealth and persistence. In some cases, they have patched the exploited vulnerabilities themselves to block other attackers' access. The French National Agency for the Security of Information Systems (ANSSI) has attributed the attacks to Chinese groups, specifically a cluster known as Houken linked to UNC5174.
### Impact
Access was sold or brokered to other groups, enabling further attacks on government, commercial, and NGO sectors globally. Primary objectives appear to be intelligence gathering and credential theft, with some cryptojacking observed.
### Recommendations and Mitigations
Ivanti strongly urges all users to upgrade to CSA version 5.0, which is not affected by CVE-2024-8963 or the related vulnerabilities. Systems running end-of-life or unpatched versions remain vulnerable. CISA and FBI recommend network defenders actively hunt for indicators of compromise (IOCs) related to CVE-2024-8963 exploitation, including unusual administrative access, web shells, and kernel rootkits. They provide detection methods and encourage consulting CISA’s Known Exploited Vulnerabilities Catalog for updated guidance.
Administrators should review logs for signs of chained exploit activity, isolate compromised systems, and consult trusted incident response resources. Ivanti recommends installing an endpoint detection and response (EDR) tool on the system as part of a layered approach to security.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-8963 to its known exploited vulnerabilities catalog, following an earlier addition of CVE-2024-8190. Ivanti has confirmed a limited number of customers have been impacted by the exploitation of CVE-2024-8963, but specific details of the attacks were not shared.
The addition of CVE-2024-8963 to CISA's catalog does not necessarily mean that all customers using CSA version 4.6 have been impacted, but it does indicate that the vulnerability is being actively exploited. The vulnerability has a CVSS score of 9.4 and allows unauthenticated hackers to access restricted functionality. Some attempts to exploit the vulnerability may show up in broker logs, which are local to the system.
In summary, immediate patching/upgrading to Ivanti CSA 5.0, continuous monitoring for attacker activity, and following CISA/FBI advisory guidelines are the strongest current defenses against CVE-2024-8963 exploitation. Ivanti has promised major changes in how it develops products and works with customers and the security community, following an agreement to overhaul its internal security culture. Users should also review EDR alerts or those from other security tools if they are already installed.
- The ongoing exploitation of the critical path traversal and administrative bypass vulnerability (CVE-2024-8963) in Ivanti's Cloud Service Appliance (CSA), combined with other vulnerabilities like CVE-2024-9380 and CVE-2024-8190, poses a significant threat to cybersecurity, as it allows hackers to gain unauthorized administrative access andexecute remote code.
- In the context of the actively exploited CVE-2024-8963 vulnerability,Network defenders are advised to proactively hunt for indicators of compromise (IOCs) related to this exploitation, including unusual administrative access, web shells, and kernel rootkits, as recommended by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
