CVE-2024-8963

What is Ivanti Cloud Services Appliance?

Ivanti Cloud Services Appliance (CSA) is a network gateway appliance that provides secure connectivity for managed devices to cloud-based services, including remote access tunneling, patch distribution, and endpoint management communications. CSA 4.6.x is end-of-life and no longer receives routine security updates. Because CSA sits at the boundary between managed endpoints and internal/cloud infrastructure, it handles privileged administrative communications — making compromise of a CSA appliance a valuable initial foothold for attackers targeting enterprise environments.

Overview

CVE-2024-8963 is a path traversal vulnerability in Ivanti CSA 4.6.x that allows an unauthenticated remote attacker to access restricted administrative functionality. On its own, the traversal grants unauthorized access to protected endpoints; when chained with CVE-2024-8190 (an OS command injection vulnerability in the same product added to KEV on September 10, 2024), the combination enables unauthenticated arbitrary command execution on the appliance. CISA added CVE-2024-8963 to the KEV catalog the same day it was published, confirming active zero-day exploitation. Ivanti's remediation guidance is to upgrade to CSA 5.0.x, as 4.6.x will not receive future security patches.

Affected Versions

Since CSA 4.6.x is end-of-life, Ivanti's recommended remediation is migration to CSA 5.0.x rather than continued patching of the 4.6.x branch.

Technical Details

CWE-22 (Path Traversal). The CSA 4.6.x web interface accepted path components in HTTP requests that could traverse outside the intended web root, reaching administrative endpoints that should be inaccessible to unauthenticated users. Specifically, traversal of /client/index.php allowed access to admin-only functions.

Two-CVE attack chain:

1. CVE-2024-8963 — path traversal bypasses the authentication check for admin endpoints.
2. CVE-2024-8190 (CWE-78, OS command injection) — an authenticated OS command injection endpoint, now reachable without authentication via the traversal, allows execution of arbitrary OS commands.

The combined chain achieves unauthenticated remote code execution on the CSA appliance with operating system–level privileges.

Discovery

Both CVE-2024-8963 and the companion CVE-2024-8190 were discovered and reported to Ivanti. The same-day KEV addition on September 19, 2024 confirms that exploitation was occurring in the wild prior to the advisory's publication.

Exploitation Context

Active zero-day exploitation was confirmed at advisory publication. Threat actors targeted internet-exposed CSA 4.6.x appliances, using the traversal + command injection chain to establish footholds on compromised appliances. From there, attackers had access to the managed endpoint communications handled by the CSA, facilitating reconnaissance and lateral movement into the broader enterprise environment. The end-of-life status of CSA 4.6.x means the exposure window for organizations slow to upgrade to CSA 5.0.x remains open.

Remediation

1. Upgrade to Ivanti CSA 5.0.x — this is Ivanti's primary remediation recommendation since CSA 4.6.x is end-of-life.
2. If immediate upgrade is not possible, apply CSA 4.6 Patch 519 as a temporary measure, but plan and execute the CSA 5.0.x migration promptly.
3. Restrict CSA management interface access to trusted internal IP ranges; the interface should not be internet-accessible.
4. After patching or upgrading, conduct a compromise assessment: review for unexpected processes, new accounts, modified files, and outbound connections that may indicate prior exploitation.
5. Ensure CVE-2024-8190 is also addressed — both vulnerabilities must be patched to close the attack chain.