Yesterday, CISA and the FBI released a joint advisory that included technical details of at least two exploit chains used by threat actors to break into Ivanti Cloud Service Appliances (CSA). The advisory comes in response to active exploitation in Ivanti CSA of the following vulnerabilities:

• CVE-2024-8963 – Administrative bypass
• CVE-2024-9379 – SQL injection
• CVE-2024-8190 – Remote code execution
• CVE-2024-9380 – Remote code execution

Affected versions of Ivanti CSA include CSA versions 4.6x and 5.0.1. Network administrators and defenders are strongly encouraged to upgrade to the latest supported version of Ivanti CSA. Ivanti has noted that these vulnerabilities have not been exploited in the newest CSA version 5.0. Additionally, CISA released indicators of compromise (IoCs) and other forensic data encouraging network defenders to hunt for suspicious activity.

While not explicitly stated in the advisory, Google-owned Mandiant has publicly traced recent attacks in Ivanti CSA to an advanced persistent threat (APT) sub-group known as UNC5221—a suspected China-affiliated espionage actor. UNC5221 has exploited Ivanti Connect Secure VPN appliances as far back as December 2023. Access the full advisory at CISA.

Additional Resource:

FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know