CVE-2024-9380

What is Ivanti Cloud Services Appliance?

Ivanti Cloud Services Appliance (CSA) is an on-premises appliance that provides cloud-based management capabilities for Ivanti Endpoint Manager (LANDESK), enabling remote device management, software deployment, and patch management. The CSA acts as a bridge between managed endpoints and cloud services, and exposes a web-based administrative console for configuration and management. Ivanti CSA 4.6.x reached end-of-life and is no longer receiving security patches from Ivanti; the vendor's remediation guidance is to upgrade to CSA 5.0.x.

Overview

CVE-2024-9380 is an OS command injection vulnerability in the administrative console of Ivanti CSA 4.6.x that allows an authenticated attacker with application admin privileges to pass arbitrary commands to the underlying OS. When combined with CVE-2024-8963 (a path traversal in CSA 4.6.x that allows unauthenticated access to the admin interface, already enriched) and CVE-2024-8190 (another OS command injection in CSA), these vulnerabilities form a multi-stage exploit chain that produces unauthenticated OS command execution on end-of-life CSA appliances. CISA added CVE-2024-9380 to the KEV catalog one day after publication, confirming active exploitation in the wild.

Affected Versions

Ivanti's guidance is to upgrade to CSA 5.0.x or later. No patch will be issued for the 4.6.x branch.

Technical Details

CWE-77 (Improper Neutralization of Special Elements used in a Command). The CSA administrative console contains a feature that passes configuration values or user-supplied input to system commands without adequate sanitization. An attacker with admin-level access to the CSA console can inject OS commands into these inputs, causing them to be executed by the underlying operating system. Because Ivanti CSA 4.6.x is end-of-life and the admin console has been accessed via the CVE-2024-8963 path traversal bypass, the effective attack chain requires no legitimate credentials.

The three Ivanti CSA CVEs from the October 2024 advisory work in concert:

• CVE-2024-8963 (path traversal, already enriched) — bypasses authentication to access the admin interface
• CVE-2024-9380 (command injection) — executes OS commands once admin access is achieved
• CVE-2024-9379 (SQL injection) — provides credential disclosure or database manipulation

Discovery

Ivanti published its October 2024 advisory covering the cluster of CSA vulnerabilities. The one-day gap between CVE publication and KEV addition reflects confirmed active exploitation.

Exploitation Context

Ivanti CSA 4.6.x was already end-of-life when these vulnerabilities were disclosed and exploited, representing the persistent risk of running unsupported software in network-connected roles. CSA appliances manage endpoint fleets — an attacker with OS-level access can use the CSA as a pivot to push malicious software to managed endpoints, collect management credentials, or disrupt endpoint management operations. The exploitation of Ivanti network appliances was a major theme in 2024, with multiple Ivanti products (CSA, Connect Secure VPN, EPMM) appearing in the CISA KEV catalog.

Remediation

1. Upgrade to Ivanti CSA 5.0.x or later — the 4.6.x branch is end-of-life with no patches available. This is the only permanent remediation.
2. If immediate upgrade is not possible, isolate the CSA appliance from the internet and limit administrative access to known-good IP addresses.
3. Review CSA administrative logs for unauthorized logins or unexpected configuration changes prior to upgrade.
4. See also CVE-2024-8963 (path traversal) and CVE-2024-8190 (command injection) — all three vulnerabilities should be addressed by upgrading to CSA 5.0.x.
5. After upgrading, rotate all credentials managed by or accessible through the CSA, including Endpoint Manager service accounts.