In a joint advisory issued today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that cyberattackers continue to exploit security flaws in Ivanti Cloud Service Appliances (CSA). These vulnerabilities, some of which were patched months ago, remain a critical threat to unprotected networks.
Vulnerabilities Under Attack
The vulnerabilities actively exploited in these attacks include:
- CVE-2024-8963: An administrative authentication bypass vulnerability patched in September 2024.
- CVE-2024-8190: A remote code execution (RCE) vulnerability, also patched in September 2024.
- CVE-2024-9379: An SQL injection vulnerability addressed in October 2024.
- CVE-2024-9380: Another RCE vulnerability patched in October 2024.
All four vulnerabilities were previously exploited as zero-day threats, prompting CISA to add them to its Known Exploited Vulnerabilities Catalog. Federal Civilian Executive Branch (FCEB) agencies have been directed to mitigate these vulnerabilities under Binding Operational Directive (BOD) 22-01.
Attack Methods and Impacts
According to CISA and FBI, attackers are chaining these vulnerabilities to:
- Gain initial access to networks.
- Conduct remote code execution.
- Steal credentials.
- Deploy webshells for persistent access.
“Threat actors exploited these vulnerabilities in chains, such as combining CVE-2024-8963 with CVE-2024-8190 and CVE-2024-9380, or pairing CVE-2024-8963 with CVE-2024-9379,” the advisory detailed. “In one confirmed incident, attackers moved laterally across victim networks, compromising multiple servers.”
Call to Action
CISA and FBI strongly recommend that all network administrators:
- Update Ivanti CSA Appliances: Immediately upgrade to the latest supported versions to protect against known vulnerabilities.
- Hunt for Indicators of Compromise (IOCs): Analyze network logs and artifacts for signs of malicious activity. Detection methods and IOCs have been shared in the advisory.
- Treat Stored Credentials as Compromised: Assume that sensitive data and credentials stored within affected appliances are already compromised.
- Implement Incident Response Measures: Follow CISA’s recommendations for mitigating and responding to potential breaches.
Ivanti’s Response
Ivanti has escalated its internal security processes, improving vulnerability testing and accelerating its patch release timelines. Despite these efforts, the company’s products remain a frequent target for attackers.
Last year, multiple zero-day vulnerabilities in Ivanti VPN appliances and other products were exploited in widespread attacks. In early 2025, suspected China-linked threat group UNC5221 used zero-day vulnerabilities in Ivanti Connect Secure appliances to deploy novel malware strains such as Dryhook and Phasejam.
The Bigger Picture
Ivanti’s products are used by over 40,000 organizations globally, making them a high-value target for threat actors. These ongoing attacks highlight the critical importance of timely patching, robust network monitoring, and proactive threat hunting.
What’s Next?
CISA and FBI continue to monitor the situation and will update their advisory as new information becomes available. Organizations should remain vigilant, ensuring their networks are protected against these and future exploits.
For detailed mitigation steps and a full list of IOCs, visit the official CISA advisory page. Ensure your organization remains secure by acting swiftly and staying informed.