Created on 2024-10-21 08:27 and updated on 2024-10-21 08:27.
Description
Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs
Affected Platforms: Ivanti Cloud Services Appliance version 4.6 and prior Impacted Users: Any organization Impact: Remote attackers gain control of the vulnerable systems Severity Level: Critical
Today FortiGuard Labs is releasing this blog post about a case where an advanced adversary was observed exploiting three vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). At the time of our investigation, two out of the three identified vulnerabilities were not publicly known. This incident is a prime example of how threat actors chain zero-day vulnerabilities to gain initial access to a victim’s network. Background
In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged by a customer to investigate malicious communication originating from their network. During the investigation, FGIR came across an adversary who had gained access to the customer’s network by exploiting the CVE-2024-8190 and two previously unknown vulnerabilities affecting the PHP front end of the Ivanti CSA appliance.
Vulnerabilities included in this bundle
Author
Alexandre DulaunoyCombined sightings
| Author | Vulnerability | Source | Type | Date |
|---|---|---|---|---|
| automation | CVE-2024-29824 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-29) | exploited | 4 days ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/common-vulnerabilities) - (2025-03-21) | seen | 12 days ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-11) | exploited | 22 days ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-10) | exploited | 23 days ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-09) | exploited | 24 days ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/common-vulnerabilities) - (2025-03-09) | seen | 24 days ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/common-vulnerabilities) - (2025-03-02) | seen | 1 month ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-02) | exploited | 1 month ago |
| automation | CVE-2024-29824 | MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd | seen | 1 month ago |
| automation | CVE-2024-29824 | MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123 | seen | 1 month ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-02-11) | exploited | 1 month ago |
| automation | CVE-2024-29824 | MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd | seen | 1 month ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-20) | exploited | 3 months ago |
| automation | CVE-2024-29824 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-10-31) | exploited | 5 months ago |
| adulau | CVE-2024-29824 | seen | 5 months ago | |
| automation | CVE-2024-29824 | MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123 | seen | 5 months ago |
| automation | CVE-2024-9380 | MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123 | seen | 1 month ago |
| automation | CVE-2024-9380 | https://bsky.app/profile/hackingne.ws/post/3lggeheeneu2x | seen | 2 months ago |
| automation | CVE-2024-9380 | https://bsky.app/profile/socprime.com/post/3lggbmc7dc72t | seen | 2 months ago |
| automation | CVE-2024-9380 | https://threatintel.cc/2025/01/23/threat-actors-chained-vulnerabilities-in.html | seen | 2 months ago |
| automation | CVE-2024-9380 | https://bsky.app/profile/hackingne.ws/post/3lgfg6rd6qb2l | seen | 2 months ago |
| automation | CVE-2024-9380 | https://bsky.app/profile/bluecyber.bsky.social/post/3lgeaatupu22x | seen | 2 months ago |
| automation | CVE-2024-9380 | https://infosec.exchange/users/screaminggoat/statuses/113873414203572986 | seen | 2 months ago |
| adulau | CVE-2024-9380 | seen | 5 months ago | |
| automation | CVE-2024-9380 | MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123 | seen | 5 months ago |
| automation | CVE-2024-8190 | MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123 | seen | 1 month ago |
| automation | CVE-2024-8190 | https://poliverso.org/objects/0477a01e-c465dbc4-89f3589511bbf4fb | seen | 1 month ago |
| automation | CVE-2024-8190 | https://bsky.app/profile/hackingne.ws/post/3lggeheeneu2x | seen | 2 months ago |
| automation | CVE-2024-8190 | https://bsky.app/profile/socprime.com/post/3lggbmc7dc72t | seen | 2 months ago |
| automation | CVE-2024-8190 | https://threatintel.cc/2025/01/23/threat-actors-chained-vulnerabilities-in.html | seen | 2 months ago |
| automation | CVE-2024-8190 | https://bsky.app/profile/hackingne.ws/post/3lgfg6rd6qb2l | seen | 2 months ago |
| automation | CVE-2024-8190 | https://bsky.app/profile/bluecyber.bsky.social/post/3lgeaatupu22x | seen | 2 months ago |
| automation | CVE-2024-8190 | https://infosec.exchange/users/screaminggoat/statuses/113873414203572986 | seen | 2 months ago |
| automation | CVE-2024-8190 | https://bsky.app/profile/mortyjin.bsky.social/post/3lfcdvmg52k2u | seen | 2 months ago |
| automation | CVE-2024-8190 | https://bsky.app/profile/mortyjin.bsky.social/post/3lfcduk7jpk2u | seen | 2 months ago |
| adulau | CVE-2024-8190 | seen | 5 months ago | |
| automation | CVE-2024-8190 | MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123 | seen | 6 months ago |
| automation | CVE-2024-8190 | MISP/aaf97b2c-ad16-4ce6-928a-a440112d0fd3 | seen | 6 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-28) | exploited | 5 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-21) | exploited | 12 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-20) | exploited | 13 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-19) | exploited | 14 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-18) | exploited | 15 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-15) | exploited | 18 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-14) | exploited | 19 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-13) | exploited | 20 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-08) | exploited | 25 days ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-03-02) | exploited | 1 month ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-02-28) | exploited | 1 month ago |
| automation | CVE-2024-8963 | MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123 | seen | 1 month ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-02-21) | exploited | 1 month ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-02-15) | exploited | 1 month ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-02-11) | exploited | 1 month ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-02-08) | exploited | 1 month ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-02-05) | exploited | 1 month ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-02-03) | exploited | 1 month ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-01-24) | exploited | 2 months ago |
| automation | CVE-2024-8963 | https://bsky.app/profile/hackingne.ws/post/3lggeheeneu2x | seen | 2 months ago |
| automation | CVE-2024-8963 | https://bsky.app/profile/socprime.com/post/3lggbmc7dc72t | seen | 2 months ago |
| automation | CVE-2024-8963 | https://threatintel.cc/2025/01/23/threat-actors-chained-vulnerabilities-in.html | seen | 2 months ago |
| automation | CVE-2024-8963 | https://bsky.app/profile/hackingne.ws/post/3lgfg6rd6qb2l | seen | 2 months ago |
| automation | CVE-2024-8963 | https://bsky.app/profile/bluecyber.bsky.social/post/3lgeaatupu22x | seen | 2 months ago |
| automation | CVE-2024-8963 | https://infosec.exchange/users/screaminggoat/statuses/113873414203572986 | seen | 2 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-01-20) | exploited | 2 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-01-17) | exploited | 2 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-01-16) | exploited | 2 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-01-10) | exploited | 2 months ago |
| automation | CVE-2024-8963 | https://bsky.app/profile/mortyjin.bsky.social/post/3lfcdvmg52k2u | seen | 2 months ago |
| automation | CVE-2024-8963 | https://bsky.app/profile/mortyjin.bsky.social/post/3lfcduk7jpk2u | seen | 2 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-01-05) | exploited | 2 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2025-01-01) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-27) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-20) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-19) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-18) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-17) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-11) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-06) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-12-04) | exploited | 3 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-29) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-27) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-23) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-22) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-19) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-18) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-14) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-12) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-11) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-10) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-09) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-08) | exploited | 4 months ago |
| automation | CVE-2024-8963 | The Shadowserver (honeypot/exploited-vulnerabilities) - (2024-11-07) | exploited | 4 months ago |
| adulau | CVE-2024-8963 | seen | 5 months ago | |
| automation | CVE-2024-8963 | MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123 | seen | 6 months ago |