CVE-2024-8190

What is Ivanti Cloud Services Appliance?

Ivanti Cloud Services Appliance (CSA) is an on-premises appliance providing cloud-based management capabilities for Ivanti Endpoint Manager (LANDESK). It serves as the communication bridge between managed endpoints and cloud management services, handling software deployment, patch management, and remote device management. CSA 4.6.x reached end-of-life and no longer receives regular security updates from Ivanti — the company issued an interim patch for this specific vulnerability but recommends full migration to CSA 5.0.x as the permanent solution.

Overview

CVE-2024-8190 is an OS command injection vulnerability in the Ivanti CSA administrative console that allows an authenticated attacker with application admin privileges to pass commands to the underlying OS. It is the first OS command injection vulnerability in a series of Ivanti CSA 4.6.x bugs exploited in 2024: CVE-2024-8190 (September 2024), CVE-2024-8963 (path traversal auth bypass, already enriched), and CVE-2024-9380 (second command injection, already enriched). When CVE-2024-8963 is chained with CVE-2024-8190, an unauthenticated attacker can achieve full OS command execution — the path traversal bypasses authentication, and the command injection provides OS-level access.

Affected Versions

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CSA 4.6.x administrative console passes user-supplied input from certain management functions to OS commands without adequate sanitization. An attacker with admin-level access can inject shell metacharacters into configuration parameters, causing the underlying OS to execute arbitrary commands. Because the CSA administrative console runs with elevated OS privileges, the injected commands execute with correspondingly high privilege.

In the Ivanti CSA 4.6.x exploit chain documented in 2024:

• CVE-2024-8963 (path traversal) — bypasses authentication, granting unauthenticated access to the admin console
• CVE-2024-8190 (command injection, this CVE) — executes OS commands via the now-accessible admin console
• CVE-2024-9380 (second command injection, already enriched) — an additional injection vector in the same product

All three vulnerabilities affect the same EOL product and are chained by threat actors for complete unauthenticated RCE.

Discovery

Reported to Ivanti, which issued an interim patch (CSA 4.6 Patch 519) while strongly recommending upgrade to the supported CSA 5.0.x line. CISA added the vulnerability to the KEV catalog three days after publication, indicating confirmed exploitation.

Exploitation Context

Active exploitation of Ivanti CSA 4.6.x was documented in September–October 2024, with multiple CVEs being chained to achieve unauthenticated RCE against organizations that had not upgraded to CSA 5.0.x. The persistent exploitation of end-of-life Ivanti products reflects the challenge of managing EOL appliances in enterprise environments and the sustained attacker focus on network management infrastructure.

Remediation

1. Upgrade to Ivanti CSA 5.0.x — the 4.6.x branch is end-of-life. The interim Patch 519 addresses CVE-2024-8190 but does not address CVE-2024-8963 or CVE-2024-9380. Only upgrading to 5.0.x resolves the full vulnerability chain.
2. If immediate upgrade is not possible, apply CSA 4.6 Patch 519 as an interim measure and isolate the appliance from internet access.
3. Review CSA administrative logs for unauthorized logins or unexpected configuration changes.
4. See also CVE-2024-8963 (path traversal auth bypass) and CVE-2024-9380 (additional command injection) for the full Ivanti CSA 4.6.x exploitation chain.