CVE-2024-9380 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Ivanti Cloud Services Appliance (CSA) OS Command Injection Vulnerability

Exploit added

October 9, 2024

Action due

October 30, 2024

Action required

As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.

Description

An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381

Weakness Enumeration

CWE-ID	CWE Name
CWE-77	Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Known Affected Software Configurations

cpe:2.3:a:ivanti:endpoint_manager_cloud_services_appliance:4.5:-::::::
cpe:2.3:a:ivanti:endpoint_manager_cloud_services_appliance:4.6:patch_512::::::
cpe:2.3:a:ivanti:endpoint_manager_cloud_services_appliance:4.6:-::::::

Details

Source:
NVD

Published:
October 8, 2024

Updated:
October 10, 2024

Risk information

CVSS v3

Base score:
7.2

Severity:

HIGH

Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined