CVE-2024-8963
Published: 19 September 2024
Summary
CVE-2024-8963 is a critical-severity Path Traversal (CWE-22) vulnerability in Ivanti Endpoint Manager Cloud Services Appliance. Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-8963 is a path traversal vulnerability (CWE-22) affecting Ivanti Cloud Services Appliance (CSA) versions prior to 4.6 Patch 519. The flaw permits unauthorized access to restricted functionality through improper handling of file paths in the affected component.
A remote unauthenticated attacker can exploit the issue over the network without any user interaction or credentials. Successful exploitation grants the ability to reach otherwise protected resources, resulting in high impacts to confidentiality and integrity along with limited availability effects as reflected in the CVSS 9.4 score.
The official Ivanti security advisory recommends immediate application of the 4.6 Patch 519 update to remediate the vulnerability. CISA has added CVE-2024-8963 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
The associated EPSS score remains persistently elevated, with a current value of 0.9423 and a recorded peak of 0.9680, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49510
Vulnerability details
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
- CWE(s)
- KEV Date Added
- 19 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access control policies on resources so that path traversal cannot grant unauthenticated access to restricted functionality.
Requires validation of file-path inputs to reject traversal sequences (../ etc.) that bypass directory restrictions.
Mandates timely application of the vendor patch (CSA 4.6 Patch 519) that eliminates the path-traversal flaw.