Further insights into Ivanti CSA 4.6 vulnerabilities exploitation

SUMMARY :

This analysis examines the exploitation of critical vulnerabilities in Ivanti Cloud Service Appliance (CSA) 4.6 between October 2024 and January 2025. It confirms widespread exploitation leading to webshell deployments in September and October 2024. The report provides details on malicious activities conducted within a targeted organization in September 2024 after compromising an Ivanti CSA device. A cluster of associated implants and infrastructure is identified. A root cause analysis of CVE-2024-8963 reveals it stems from URL parsing issues in Ivanti's proprietary web server and PHP CGI configuration. The vulnerability allowed unauthenticated remote code execution. Various webshell variants deployed by attackers are described. Over 1,100 vulnerable Ivanti CSA devices were found online, with webshells on nearly half of them.

OPENCTI LABELS :

exploitation,ivanti,remote code execution,vulnerability,infrastructure,webshell,reversessh,cve-2024-9381,nhas reverse_ssh,csa,cve-2024-8190,cve-2024-9379,cve-2024-8963


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Further insights into Ivanti CSA 4.6 vulnerabilities exploitation