The Cybersecurity & Infrastructure Security Agency is warning of a critical vulnerability in Ivanti Cloud Services Appliance (CSA) that is being actively exploited.

Ivanti issued a security advisory for CSA 4.6 to address a high severity vulnerability that could give attackers unauthorized accesses to devices running a CSA.

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

To make matters worse, CSA 4.6 is End-of-Life (EOL), limiting availability of future updates.

Please note: Ivanti CSA 4.6 is End-of-Life, and no longer receives patches for OS or third-party libraries. Additionally, with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support. CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already running Ivanti CSA 5.0 do not need to take any additional action.

CISA is now warning agencies of the vulnerability, instructing them to immediately take measures to mitigate the risk.

CISA recommends users and administrators review CISA and FBI’s joint guidance on eliminating OS command injections and the Ivanti security advisory and apply the recommended updates.

Note: CISA has added CVE-2024-8190 to its Known Exploited Vulnerabilities Catalog, which, per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect FCEB networks against active threats.

Because Ivanti CSA 4.6 is EOL, however, CISA is recommending agencies take the additional step of replacing it, since it will not receive future security updates.

Action: As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive future security updates.