Ivanti has disclosed that a recently patched security vulnerability in its Cloud Services Agreement (CSA) is currently being actively exploited in the wild.
A critical severity vulnerability, identified as CVE-2024-8190 with a CVSS rating of 7.2, allows for remote code execution under specific conditions.
An unpatched OS command injection vulnerability, discovered in Ivanti Cloud’s Company Equipment variants 4.6 Patch 518 and prior versions, enables a remote, authenticated attacker to execute arbitrary code remotely, according to an advisory released by Ivanti earlier this week. “The attacker requires administrative access and elevated privileges to exploit this vulnerability effectively.”
The vulnerability affects Ivanti CSA 4.6, which is no longer receiving support having reached its end-of-life milestone, necessitating upgrades to a supported version moving forward. The issue has been resolved through a patch released by CSA, specifically the 4.6 Patch 519.
“With its end-of-life status now confirmed, Ivanti has announced it will no longer provide backports for this specific model.” “Clients are encouraged to upgrade to Ivanti CSA 5.0 to ensure ongoing support.”
The current supported version of CSA (CSA 5.0) does not contain this vulnerability. Clients already operating Ivanti CSA 5.0 do not need to take any further action.
On Friday, Ivanti issued an advisory alerting users to confirmed instances of the vulnerability being exploited in the wild, targeting a “limited subset” of clients.
Despite lacking details on the assaults and perpetrators, numerous vulnerabilities within Ivanti’s offerings were exploited as zero-days by China-connected cyberespionage groups, highlighting the severity of the situation.
The recent event has precipitated a response from the United States government. The Cybersecurity and Infrastructure Safety Agency (CISA) has issued a directive to federal agencies to address the deficiencies in their Identified Exploited Vulnerabilities catalog, mandating that they implement the necessary patches by October 4, 2024.
A critical deserialization vulnerability (CVE-2024-29847, CVSS rating: 10.0), identified by cybersecurity firm Horizon3.ai through an in-depth technical evaluation, has been discovered in the Endpoint Supervisor (EPM).
