On December 10, 2024, Ivanti released updates for three critical-severity vulnerabilities impacting their Cloud Services Application. By chaining the vulnerabilities together, a threat actor could obtain administrative privileges via authentication bypass (CVE-2024-11639), which could then allow for remote code execution (CVE-2024-11172) and/or SQL injection (CVE-2024-11173).
| CVE-2024-11639 | CVSS: 10.0 – Critical | No Exploitation Detected |
| Authentication Bypass Vulnerability – Could allow an unauthenticated threat actor to obtain administrative access to the admin web console of Ivanti CSA. | ||
| CVE-2024-11772 | CVSS: 9.1 – Critical | No Exploitation Detected |
| Command Injection Vulnerability – Could allow an authenticated threat actor with admin privileges to achieve remote code execution. | ||
| CVE-2024-11773 | CVSS: 9.1 – Critical | No Exploitation Detected |
| SQL Injection Vulnerability – Could allow an authenticated threat actor with admin privileges to run arbitrary SQL statements. | ||
All three vulnerabilities were responsibly disclosed to Ivanti and have not been exploited in the wild. However, based on the significant historical targeting of Ivanti vulnerabilities, including similar vulnerabilities impacting Cloud Services Appliance and Endpoint Manager, and the potential privileges obtained by successful exploitation, we assess threat actors will likely attempt to create a PoC exploit and chain these vulnerabilities together within the near term.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Ivanti Cloud Services Application |
|
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
