Skip to main content
close search
site logo
Dive Brief

Ivanti zero-days chained together in at least 3 attacks, authorities warn

The vendor’s customers have confronted multiple attack sprees targeting zero-days spanning a variety of products.

Published Jan. 23, 2025
Matt Kapko's headshot
Senior Reporter
A closeup shot of long colorful lines of code on a computer screen.
Wirestock via Getty Images

Dive Brief:

  • Attackers exploited and chained multiple previously disclosed Ivanti Cloud Service Appliance vulnerabilities together in different sequences to intrude at least three victim organizations, federal officials said Wednesday in a joint advisory.
  • The FBI and Cybersecurity and Infrastructure Security Agency said four vulnerabilities Ivanti disclosed in September and October were exploited by attackers to gain initial access, conduct remote code execution, obtain credentials and implant webshells on victim networks. All four vulnerabilities were exploited as zero-days, according to Ivanti’s advisories.
  • Authorities said one exploit chain used CVE-2024-8963, in conjunction with CVE-2024-8190 and CVE-2024-9380, and the other exploited CVE-2024-8963 and CVE-2024-9379. In one incident involving confirmed comprise, attackers moved laterally to two servers.

Dive Insight:

Ivanti customers confronted multiple attack sprees targeting zero-days spanning a variety of products last year, including Ivanti Connect Secure, Ivanti Endpoint Manager and Ivanti Cloud Service Appliance. The beleaguered vendor disclosed another zero day in multiple Ivanti products, including Ivanti Connect Secure, earlier this month.

The quartet of vulnerabilities flagged in the joint advisory affect Ivanti Cloud Service Appliance version 4.6, which is end-of-life and no longer receiving patches. A pair of the vulnerabilities, CVE-2024-9379 and CVE-2024-9380, affect Cloud Service Appliance versions 5.0.1 and below.

Ivanti encouraged customers to upgrade to Cloud Service Appliance 5.0 and said the vulnerabilities have not been exploited in the latest version of the product.

“The report released by CISA yesterday relates to a previously disclosed and fixed vulnerability in an end-of-life product and threat actor activity that occurred in September/October of last year,” a spokesperson for Ivanti said Thursday via email.

“The attack chain described by CISA cannot be exploited in the updated Cloud Security Application solution, and users that follow Ivanti’s guidance regarding not exposing their admin portal to the internet have a reduced risk from this vulnerability,” the spokesperson said. “As such, limited exploitation of this vulnerability has been observed to date.”

The FBI and CISA said credentials and data stored in affected Ivanti appliances should be considered compromised and advised customers to collect and analyze logs for malicious activity. The agencies published detailed indicators of compromise in the joint advisory.

Ivanti pledged to overhaul its internal security culture and practices in April, after a spree of attacks targeted flaws in Ivanti Connect Secure and other products. The attacks resulted in attacks targeting CISA, the Mitre Corp. and others.

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
DNS4EU Achieves 2024 Milestones in EU Cybersecurity, Public Resolver Launch Set for 2025
From Whalebone
January 21, 2025
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Moving On IT Gears Up for Explosive Growth in 2025
From Moving On IT | Tomorrow's Technology. Today.
January 22, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.