CISA: Hackers still exploiting older Ivanti bugs to breach networks

CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.

The vulnerabilities chained in these attacks include CVE-2024-8963 (an admin authentication bypass patched in September) and CVE-2024-8190 (a remote code execution bug patched the same month). Two other bugs, CVE-2024-9379 (an SQL injection) and CVE-2024-9380 (a remote code execution vulnerability), were both addressed in October.

All four bugs have been tagged as exploited in zero-day attacks before. CISA added them to its Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their appliances as mandated by Binding Operational Directive (BOD) 22-01.

"According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks," the U.S. cybersecurity agency said on Wednesday.

"The actors' primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379. In one confirmed compromise, the actors moved laterally to two servers."

​CISA and FBI now "strongly encourage" all network administrators to upgrade their appliances to the latest supported Ivanti CSA version to thwart ongoing attacks that could target their systems.

They're also advised to "hunt" for signs of malicious activity on their networks using the indicators of compromise (IOCs) and detection methods shared in the advisory.

"Credentials and sensitive data stored within the affected Ivanti appliances should be considered compromised," CISA and the FBI warned. "Organizations should collect and analyze logs and artifacts for malicious activity and apply the incident response recommendations within this advisory."

This stream of actively exploited vulnerabilities came as Ivanti escalated testing and internal scanning capabilities and said it improved its responsible disclosure process to patch security flaws faster.

Several other vulnerabilities were exploited as zero days last year in widespread attacks against vulnerable Ivanti VPN appliances and ICS, IPS, and ZTA gateways.

Also, since the beginning of 2025, Ivanti Connect Secure VPN appliances have also been targeted by a suspected China-nexus espionage actor (tracked as UNC5221) in remote code execution zero-day attacks that infected them with new Dryhook and Phasejam malware.

Ivanti's customer list includes over 40,000 companies worldwide that use its products to manage systems and IT assets.