Home / Vulnerabilities / CVE-2024-8963
CRITICAL SEVERITY
CVE-2024-8963Ivanti · Cloud Services Appliance (CSA)

Ivanti Cloud Services Appliance (CSA) Path Traversal Vulnerability

Technical Severity

CVSS v3.1 Metrics

CRITICAL
9.4 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Exploitation Likelihood

EPSS Prediction

94.23 %
Predictive Probability
Percentile Rank
99.9 th

Documented as more likely to be exploited than 99.9% of known CVEs.

Detection Date

Sep 19, 2024

Remediation Due

Oct 10, 2024

CISA Catalog Active

Threat Analysis

Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.

Remediation Directive

As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.

External Intelligence

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963

NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2024-8963