Today, Ivanti warned customers about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution.
The security flaw (tracked as CVE-2024-11639 and reported by CrowdStrike’s Advanced Research Team) enables remote attackers to gain administrative privileges on vulnerable appliances running Ivanti CSA 5.0.2 or earlier without requiring authentication or user interaction by circumventing authentication using an alternate path or channel.
Ivanti advises admins to upgrade vulnerable appliances to CSA 5.0.3 using detailed information available in this support document.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” the company said on Tuesday. “Currently, there is no known public exploitation of this these vulnerabilities that could be used to provide a list of indicators of compromise.”
Today, Ivanti patched other medium, high, and critical vulnerabilities in Desktop and Server Management (DSM), Connect Secure and Policy Secure, Sentry, and Patch SDK products. However, as noted in a security advisory published on Tuesday, there is no evidence that these vulnerabilities have been exploited in the wild.
CVE-2024-11639 is the sixth CSA security vulnerability patched in recent months, with the five previous ones being patched in:
In September, the company also warned customers that the CVE-2024-8190 and CVE-2024-8963 flaws were already being targeted in attacks.
Additionally, it alerted admins that the three security flaws fixed in October were being chained with the CVE-2024-8963 CSA admin bypass to run SQL statements via SQL injection, bypass security restrictions, and execute arbitrary code via command injection.
This stream of actively exploited vulnerabilities comes as Ivanti says it escalated testing and internal scanning capabilities and is improving its responsible disclosure process to patch security bugs faster.
Several other vulnerabilities were exploited as zero-days in widespread attacks earlier this year in campaigns targeting Ivanti VPN appliances and ICS, IPS, and ZTA gateways.
Ivanti provides services to over 40,000 companies that use its products to manage their systems and IT assets.