CVE-2024-9379

What is Ivanti Cloud Services Appliance (CSA)?

Ivanti Cloud Services Appliance (CSA) is a hardware/virtual appliance providing secure remote access and application delivery for enterprise environments. It acts as a gateway between remote users and internal resources, handling authentication, VPN connectivity, and application tunneling. Organizations in government, healthcare, and critical infrastructure use CSA to manage remote access. The appliance has an administrative web console for configuration management. Ivanti CSA 4.6.x reached end-of-life status, meaning no further security patches were planned — a condition that made vulnerabilities found during this period particularly dangerous since organizations running EOL versions had no supported upgrade path short of migrating to CSA 5.0.x.

Overview

CVE-2024-9379 is an SQL injection vulnerability in the Ivanti CSA admin web console, exploitable by a remote attacker with administrator credentials. It was one of three zero-days Ivanti disclosed on October 8, 2024 — alongside CVE-2024-9380 (OS command injection) and CVE-2024-9381 (path traversal) — all actively exploited in combination against Ivanti CSA 4.6.x devices. The cluster of zero-days followed the earlier CVE-2024-8963 (path traversal, September 2024), reflecting sustained attacker interest in Ivanti CSA 4.6.x as an EOL target with no patch support.

Affected Versions

Technical Details

CWE-89 (SQL Injection). The Ivanti CSA admin web console contains one or more input fields that are not properly sanitized before being incorporated into SQL queries. An authenticated attacker with administrator access can inject arbitrary SQL statements, allowing database reads, writes, or command execution depending on the SQL engine's configuration and permissions. In the observed exploitation chain, this SQL injection vulnerability was combined with CVE-2024-9380 (OS command injection) and CVE-2024-9381 (path traversal) to establish persistent access — the SQL injection enabling database manipulation to create or escalate accounts, while the command injection achieved OS-level code execution.

The admin authentication prerequisite (PR:H) reflects that initial access to the admin console is needed. However, in the context of the broader exploitation chain, attackers who had already compromised CSA admin credentials via prior vulnerabilities (such as CVE-2024-8963) could then chain these three vulnerabilities for deeper compromise.

Discovery

Observed in active exploitation against Ivanti CSA 4.6.x devices in targeted attacks. Ivanti disclosed these three zero-days simultaneously after identifying exploitation in the wild against a limited number of customers. The pattern — multiple CVEs disclosed together, confirmed as exploited zero-days, on EOL software — is consistent with a sophisticated threat actor conducting sustained access operations against Ivanti appliances throughout 2024.

Exploitation Context

Ivanti appliances became a priority target for nation-state and sophisticated criminal actors throughout 2024 following multiple zero-days in Ivanti Connect Secure (January 2024). The CSA zero-day cluster in October 2024 indicates attackers maintained a portfolio of Ivanti-specific exploits targeting different product lines. Organizations running EOL CSA 4.6.x had no supported path to receive a patch — the only remediation was migration to CSA 5.0.x or decommissioning. This made the vulnerability particularly impactful for organizations that delayed migration, as exploitation was occurring with no official remediation available for the affected version.

Remediation

1. Migrate immediately from Ivanti CSA 4.6.x to CSA 5.0.2 or later — no security patches will be issued for the EOL 4.6.x line.
2. If immediate migration is not possible, isolate the CSA appliance: restrict admin console access to trusted management IPs only; block internet-facing access to the admin interface.
3. Check for indicators of compromise on CSA appliances — review authentication logs for unusual admin access, unexpected configuration changes, new user accounts, and signs of the CVE-2024-9380/9381 chain being used alongside this SQL injection.
4. Also apply remediations for CVE-2024-9380 (OS command injection) and CVE-2024-9381 (path traversal), which are exploited together with this vulnerability.
5. After migration to CSA 5.0.x, perform a full forensic review of the prior appliance before trusting any credentials or configurations that passed through it.