CVE-2024-8963:
Path Traversal in Ivanti Cloud Services Appliance (CSA) prior to 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.1Critical- Published Date:Sep 19, 2024
- CISA KEV Date:Sep 19, 2024
- Industries Affected:20
Threat Predictions
- EPSS Score:94.2
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.2
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:NONE
Description Preview
Path Traversal in Ivanti Cloud Services Appliance (CSA) prior to 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Overview
Ivanti CSA is affected by a path traversal vulnerability that can be exploited by an unauthenticated remote attacker to access restricted functionality, exposing sensitive information or enabling further compromise. The vulnerability (CVE-2024-8963) carries a high severity score (CVSS v3.1: 9.4) due to its impact on confidentiality and integrity, with network-based exploitation and no requirement for user interaction or privileges. The issue is categorized under CWE-22 (Path Traversal) and CAPEC-126. According to the advisory, versions prior to 4.6 Patch 519 are affected, while 4.6 Patch 519 and 5.0 are not affected (i.e., patched). Governance references include Ivanti’s security advisory and external catalogs such as the MITRE CVE entry and the CISA KEV catalog.
Remediation
- Upgrade to Ivanti CSA version 4.6 Patch 519 or later (including 5.0 or subsequent releases) to remediate the vulnerability. Verify the patch is installed on all affected appliances.
- If immediate patching is not possible, implement compensating controls:
- Restrict network access to CSA management interfaces using allowlists and strong network segmentation.
- Deploy a Web Application Firewall (WAF) or equivalent to block suspicious path traversal patterns.
- Disable or limit features that could expose restricted functionality to unauthenticated requests.
- After patching or applying mitigations, validate that restricted functionality can no longer be accessed without authentication and re-test to confirm successful remediation.
- Monitor and alert on anomalous access attempts targeting paths commonly used for traversal; collect and review CSA logs for suspicious activity.
- Enforce least privilege and, if applicable, enable MFA for administrative accounts; rotate credentials as part of the remediation cycle.
- Perform a follow-up vulnerability scan or penetration test to confirm the vulnerability is mitigated across all instances.
References
- - Ivanti Security Advisory for CSA CVE-2024-8963: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963
- - CVE-2024-8963 (MITRE): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8963
- - CISA Known Exploited Vulnerabilities Catalog (CVE-2024-8963): https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-8963
- - CAPEC-126 Path Traversal: https://capec.mitre.org/data/definitions/126.html
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
