Introduction
The cybersecurity landscape is currently facing significant threats from malicious actors, particularly the group UNC5221, who are exploiting critical vulnerabilities in Ivanti Cloud Service Appliances (CSA) [1] [4] [5] [6] [7] [9]. These vulnerabilities, identified as CVE-2024-8963 [1] [6] [8] [9], CVE-2024-9379 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], CVE-2024-8190 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], and CVE-2024-9380 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], are being used in sophisticated chained attacks to compromise systems, execute remote code [1] [3] [4] [6] [7] [8] [9] [11], steal credentials [1] [3] [4] [6] [7] [8] [9] [10] [11], and implant webshells [1] [3] [6] [7] [8] [9].
Description
Threat actors [1] [2] [3] [4] [5] [6] [7] [9] [10], particularly the group UNC5221, are actively exploiting critical vulnerabilities in Ivanti Cloud Service Appliances (CSA) [1] [5] [6] [7] [9], specifically CVE-2024-8963 [2] [4] [5] [7] [11], CVE-2024-9379 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], CVE-2024-8190 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], and CVE-2024-9380 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]. These vulnerabilities have been leveraged in chained attacks to breach systems, execute remote code (RCE) [1] [3] [4] [7] [9], steal credentials [1] [3] [4] [6] [7] [8] [9] [10] [11], and implant webshells on targeted networks [3] [6] [8]. CVE-2024-8963 is an administrative bypass vulnerability that enables attackers to remotely access restricted features, while CVE-2024-9379 is a SQL injection vulnerability affecting Ivanti CSA versions 4.6 and below [12], allowing remote authenticated attackers with admin privileges to execute arbitrary SQL statements [10]. CVE-2024-8190 and CVE-2024-9380 are also remote code execution vulnerabilities that can be combined with CVE-2024-8963 to gain initial access and execute code.
Two primary exploit chains have been identified: the first combines CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380 [11], while the second links CVE-2024-8963 with CVE-2024-9379 [11]. In the first chain [11], attackers send a GET request to obtain session and CSRF tokens [11], followed by a POST request to manipulate the setSystemTimeZone function and execute code [11]. The second chain involves exploiting CVE-2024-8963 and CVE-2024-9379 to gain initial access through a specific GET request [11].
The Cybersecurity and Infrastructure Security Agency (CISA) [5] [6] [7] [8], in collaboration with the FBI [1] [9], has issued a joint advisory emphasizing the heightened risk posed by these chaining techniques, which complicate defense efforts. Due to evidence of active exploitation [10], CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Network administrators are strongly urged to upgrade to the latest supported version of Ivanti CSA [1] [4] [7] [9] [10] [12], as version 4.6 has reached end-of-life (EOL) and no longer receives security updates [5] [7], rendering it highly vulnerable [7]. Notably, CVE-2024-9379 and CVE-2024-9380 also affect CSA versions 5.0.1 and below [3] [4] [5] [8] [10], while version 5.0 has not been exploited and is recommended for customers.
To mitigate these threats [4], CISA advises implementing security measures such as multifactor authentication [7], timely patching [7], and endpoint monitoring to bolster defenses against these vulnerabilities, as credentials and sensitive data within the affected appliances should be considered compromised [8] [10]. Administrators are also encouraged to actively search for malicious activity on their networks using the provided indicators of compromise (IOCs) and forensic data to enhance vulnerability management and stay informed about ongoing threat activity. Organizations that detect and respond quickly to anomalous activity can mitigate further exploitation [5]. In the event of a detected compromise [4], it is recommended to quarantine affected hosts [4], reimage them [4], provide new account credentials [4], collect and review artifacts [4], and report incidents to relevant authorities [4]. Immediate action is essential for cyber defenders to protect against potential intrusions leveraging these exploit chains [11], as the exploitation of these vulnerabilities poses a significant risk to networks [6], sensitive information [6], and business operations [6]. Organizations should also validate their security programs against threat actors listed in the MITRE ATT&CK for Enterprise framework [4].
Conclusion
The exploitation of vulnerabilities in Ivanti CSA by threat actors like UNC5221 poses a substantial risk to network security, sensitive data [10], and business operations [6]. To mitigate these risks [4] [11], organizations must prioritize upgrading to secure versions, implement robust security measures [7], and remain vigilant against potential threats. Proactive detection and response to anomalous activities are crucial in preventing further exploitation. As the threat landscape evolves, continuous validation of security programs against known threat actors is imperative to safeguard against future attacks.
References
[1] https://www.cisa.gov/news-events/alerts/2025/01/22/cisa-and-fbi-release-advisory-how-threat-actors-chained-vulnerabilities-ivanti-cloud-service
[2] https://www.hendryadrian.com/fbi-cisa-share-details-on-ivanti-exploits-chains-what-network-defenders-need-to-know/
[3] https://thecyberwire.com/newsletters/daily-briefing/14/15
[4] https://www.darkreading.com/vulnerabilities-threats/cisa-ivanti-vulns-chained-attacks
[5] https://thecyberexpress.com/rcritical-ivanti-csa-vulnerabilities-exploited/
[6] https://globalregulatoryinsights.com/art/cisa-and-fbi-release-advisory-on-how-threat-actors-chained-vulnerabilities-in-ivanti-cloud-service-applications/
[7] https://www.infosecurity-magazine.com/news/cisa-fbi-warn-chained-attacks/
[8] https://www.cybersecuritydive.com/news/ivanti-zero-days-chained-attacks/738130/
[9] https://marbersecurity.com/cybersecurity-alerts-news-tips/cisa-and-fbi-release-advisory-on-how-threat-actors-chained-vulnerabilities-in-ivanti-cloud-service-applications/
[10] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a
[11] https://socprime.com/blog/detect-exploit-chains-leveraging-critical-ivanti-csa-vulnerabilities/
[12] https://www.waterisac.org/portal/vulnerability-awareness-%E2%80%93-joint-advisory-ivanti-exploit-chains-suspected-chinese-threat
