Further insights into Ivanti CSA 4.6 vulnerabilities exploitation
Essential information
- Published
- 11/02/2025 04:47
- Modified
- 11/02/2025 09:05
- Tags
- 2025-02-11 CVE-2024-8190 CVE-2024-8963 CVE-2024-9379 CVE-2024-9381 csa exploitation infrastructure ivanti nhas reverse_ssh remote code execution reversessh vulnerability webshell
- Related entities
- 9 vulnerabilities (cve), 19 observables, 9 techniques (mitre), 2 malware, 8 others
Description
This analysis examines the exploitation of critical vulnerabilities in Ivanti Cloud Service Appliance (CSA) 4.6 between October 2024 and January 2025. It confirms widespread exploitation leading to webshell deployments in September and October 2024. The report provides details on malicious activities conducted within a targeted organization in September 2024 after compromising an Ivanti CSA device. A cluster of associated implants and infrastructure is identified. A root cause analysis of CVE-2024-8963 reveals it stems from URL parsing issues in Ivanti's proprietary web server and PHP CGI configuration. The vulnerability allowed unauthenticated remote code execution. Various webshell variants deployed by attackers are described. Over 1,100 vulnerable Ivanti CSA devices were found online, with webshells on nearly half of them.