2 min Security

Lack of patching leads to massive exploitation of Ivanti hardware

Lack of patching leads to massive exploitation of Ivanti hardware

CISA, the U.S. cybersecurity agency, and the FBI report that attackers are still exploiting security vulnerabilities in Ivanti Cloud Service Appliances (CSA). This is despite patches having already been available in September.

According to a report by BleepingComputer, hackers are using the vulnerabilities to penetrate networks. The vulnerabilities combined in these attacks include, first and foremost, CVE-2024-8963. That’s a circumvention of admin authentication that was patched in September. And in addition, CVE-2024-8190. That involves a remote code execution bug that was addressed in the same month.

Two other bugs, CVE-2024-9379, an SQL injection, and CVE-2024-9380, a remote code execution vulnerability, were fixed in October.

The four bugs involve zero-day exploits. CISA included them in its catalogue of known exploited vulnerabilities and called on federal civil executive agencies (FCEB) to secure their devices.

The actors’ main exploit paths were two chains of vulnerabilities. One exploit chain exploited CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380, while the other chain exploited CVE-2024-8963 and CVE-2024-9379.

CISA Cyber Ivanti Alert

CISA and the FBI now strongly urge all network administrators to upgrade their devices to the latest supported version of Ivanti CSA to prevent ongoing attacks on their systems.

They are also advised to actively look for signs of malicious activity on their networks, such as using indicators of compromise (IOCs) and detection methods shared in the advisory.

Login credentials and sensitive data stored in affected Ivanti devices should be considered compromised by organizations. CISA and the FBI state that. Organizations should collect and analyze logs for malicious activity.

Also involvement from a Chinese hacker group

This series of actively exploited vulnerabilities arose as Ivanti ramped up testing and internal scanning and indicated it had improved its disclosure process to patch security vulnerabilities faster.

Several other vulnerabilities were exploited as zero-days last year in large-scale attacks on vulnerable Ivanti VPN devices and ICS, IPS, and ZTA gateways.

In addition, Ivanti Connect Secure VPN devices have been targeted by a suspected China-related espionage group since early 2025. This group was known as UNC5221. It involved zero-day attacks with remote code execution, in which the group deployed new malware called Dryhook and Phasejam.

Ivanti’s customer list includes more than 40,000 companies worldwide that use their products to manage systems and IT assets.