Summary: A series of critical vulnerabilities in the Ivanti Cloud Service Appliance (CSA) 4.6 have been actively exploited, allowing remote attackers to execute arbitrary commands and manipulate SQL queries. Despite reaching its end-of-life in 2024, attackers target the platform, leveraging a chain of vulnerabilities to gain initial access and deploy persistent webshells. Investigation reveals that sophisticated threat actors are using various techniques to compromise networks and escalate privileges post-exploitation.
Affected: Ivanti Cloud Service Appliance (CSA) 4.6
Keypoints :
- Multiple vulnerabilities allow unauthenticated remote code execution (RCE) and SQL injection, posing serious security risks.
- Active exploitation began shortly after vulnerabilities were disclosed, with public reports confirming attacks starting September 13, 2024.
- Attackers deploy various webshell variants to maintain long-term access, and lateral movement is observed within compromised networks.