In January, after a series of attacks that exploited zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure, CISA took the unusual step of ordering all federal agencies to disconnect the impacted Ivanti products from their networks. After that incident Ivanti became one of the first vendors to sign CISA’s Secure by Design pledge and launched a review and overhaul of its security engineering and vulnerability management practices.
In February, attackers targeted a Ivanti XXE vulnerability in specific versions of Ivanti Connect Secure, Ivanti Policy Secure, and ZTA gateways days after it was patched. Later, security agencies from several nations warned that attackers were able to deceive integrity checking tools provided by Ivanti in response to those zero-days. In April, Ivanti announced plans to revamp core engineering and security operations to arm against frequent and evolved adversary activities in the wake of these issues.
Impacted CSA users urged to upgrade to version 5.0
The CVE-2024-8190 vulnerability patched on Sept. 10 is a command injection vulnerability that allows attackers to achieve arbitrary code execution on the underlying OS. The vulnerability requires administrative privileges to exploit, which means the attackers must either have obtained such credentials in some other way or brute-forced them because they were too weak. Because of this, the flaw is only rated high severity instead of critical, with a score of 7.2 out of 10 on the CVSS scale.