- 266/2024
- Critical
Ivanti has released a security update to fix a critical vulnerability across Ivanti Cloud Services Appliance (CSA) version 4.6.
The addressed vulnerability could allow the remote unauthenticated attacker to traverse directories on the system by sending a specially crafted URL request to access restricted functionality and obtain sensitive information.
The threat actors could exploit this vulnerability in conjunction with vulnerability CVE-2024-8190 mentioned in the report (Ivanti Security Updates – 11 September 2024) to bypass admin authentication and execute arbitrary commands on the affected systems.
Ivanti Cloud Services Appliance Directory Traversal Vulnerability (CVE-2024- 8963):
- CVSS: 9.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
It should be highlighted that Ivanti is aware that vulnerability “CVE-2024-8963” is being exploited in the wild, also Ivanti warns that (CSA 4.6) is End Of Life and no longer supported and customers must upgrade to Ivanti (CSA 5.0).
Vulnerabilities
CVE-2024-8963
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.