Ivanti has raised an alert regarding three new security vulnerabilities affecting its Cloud Service Appliance (CSA) that are currently being exploited in various environments.

These zero-day vulnerabilities are reportedly being used alongside another previously patched flaw in CSA, as indicated by the software services provider based in Utah.

If successfully exploited, these vulnerabilities could empower an authenticated attacker with admin rights to bypass restrictions, execute arbitrary SQL commands, or achieve remote code execution.

The company acknowledged, “We have become aware of a limited number of customers utilizing CSA 4.6 patch 518 and earlier versions who have faced exploitation of CVE-2024-9379, CVE-2024-9380, or CVE-2024-9381 when combined with CVE-2024-8963.”

Importantly, there have been no indications of exploitation targeting customer environments that are running CSA 5.0. A summary of the three vulnerabilities is outlined below:

• CVE-2024-9379 (CVSS score: 6.5) – This SQL injection vulnerability in the admin web console of Ivanti CSA prior to version 5.0.2 enables a remote authenticated attacker with admin privileges to execute arbitrary SQL statements.

• CVE-2024-9380 (CVSS score: 7.2) – This is an operating system (OS) command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2, allowing a remote authenticated attacker with admin access to gain remote code execution.

• CVE-2024-9381 (CVSS score: 7.2) – This path traversal vulnerability in Ivanti CSA before version 5.0.2 permits a remote authenticated attacker with admin rights to bypass certain restrictions.

The attacks that Ivanti has detected involve the combination of these vulnerabilities with CVE-2024-8963 (CVSS score: 9.4), which is a critical path traversal vulnerability that allows remote unauthenticated access to restricted functionalities.

Ivanti discovered these three new vulnerabilities during its investigation into the exploitation of CVE-2024-8963 and CVE-2024-8190 (CVSS score: 7.2), another OS command injection vulnerability in CSA that has been used maliciously.

The company advises upgrading to the latest version (5.0.2) and urges users to inspect the appliance for any unauthorized changes to administrative users and to monitor for alerts generated by endpoint detection and response (EDR) tools present on the devices.

This announcement comes shortly after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security vulnerability affecting Ivanti Endpoint Manager (EPM), which was resolved in May (CVE-2024-29824, CVSS score: 9.6), to its Known Exploited Vulnerabilities (KEV) catalog.