CriticalCISA KEVExploited in the wildPublic exploit

Path Traversal in Ivanti Cloud Services Appliance

IdentifiersCVE-2024-8963CWE-22· Improper Limitation of a Pathname…

CVE-2024-8963 is a critical path traversal vulnerability in Ivanti Cloud Services Appliance (CSA) 4.6 before Patch 519. The issue is exploitable remotely and without authentication, allowing an attacker to traverse paths and access files and restricted appliance functionality that should not be exposed to unauthenticated users. Ivanti’s description states that the flaw allows a remote unauthenticated attacker to access restricted functionality, and multiple supporting reports characterize the issue as enabling administrator authentication bypass or access to administrative rights. The vulnerability has also been reported as chainable with CVE-2024-8190, where CVE-2024-8963 provides the unauthorized access/authentication bypass needed to reach functionality that can then be leveraged for arbitrary command execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can expose sensitive files and restricted administrative functionality on the CSA appliance to an unauthenticated remote attacker. In practice, reporting indicates this can amount to administrator authentication bypass and acquisition of administrative rights on vulnerable systems. When chained with CVE-2024-8190, the impact escalates to arbitrary command execution / remote code execution on the appliance. The published CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) indicates high confidentiality and integrity impact with low availability impact. Multiple sources in the provided content state the vulnerability has been actively exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching or upgrade cannot be completed, reduce exposure of the CSA appliance as much as operationally possible, especially internet exposure, and increase monitoring for exploitation. The provided content specifically recommends reviewing for newly added or modified administrative users, checking broker logs for inconsistencies or suspicious activity, and closely monitoring EDR and other telemetry for signs of compromise. Because exploitation has been observed in the wild and patching alone does not address prior intrusion, organizations should perform threat hunting for webshells, suspicious HTTP requests, anomalous log entries, and other indicators of compromise on exposed systems.

Remediation

Patch, then assume compromise.

Upgrade Ivanti CSA to a fixed release. For affected CSA 4.6 deployments, apply Patch 519 immediately. Because CSA 4.6 is end-of-life, the preferred remediation in the provided advisories is to upgrade to CSA 5.0 or later fixed versions as recommended by Ivanti. Organizations should also investigate for prior compromise, because the provided advisories explicitly note that patching does not remediate historic compromise. If compromise is suspected, isolate the appliance, preserve forensic evidence, rebuild from trusted media if necessary, and reset credentials and secrets that may have been exposed or transited the device.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

IvantiEndpoint Manager Cloud Services Applianceapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

17 SOURCESView more in app

cso onlineNews

Oct 20, 2025

Network security devices endanger orgs with ’90s era flaws

A path traversal vulnerability in Ivanti Cloud Services Appliance leading to remote code execution.

the hacker newsNews

Jul 3, 2025

Chinese Hackers Exploit Ivanti CSA Zero-Days in Attacks on French Government, Telecoms

A zero-day vulnerability in Ivanti Cloud Services Appliance (CSA) devices exploited by Chinese threat actors (Houken/UNC5174) to obtain credentials and establish persistence, including via web shells and rootkits.

cyberscoopNews

Jul 3, 2025

China-linked attacker hit France’s critical infrastructure via trio of Ivanti zero-days last year

A zero-day vulnerability in Ivanti Cloud Services Appliance devices that was exploited in the wild by China-linked threat actors to gain initial access, conduct remote code execution, obtain credentials, and implant webshells on victim networks.

the record mediaNews

Jul 2, 2025

French cybersecurity agency confirms government affected by Ivanti hacks

A zero-day vulnerability in Ivanti Cloud Service Appliance (CSA) exploited as part of the Houken/UNC5174 intrusion campaign impacting French government and other sectors.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware5

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-8963

NVD

nvd.nist.gov/vuln/detail/CVE-2024-8963

MITRE CWE · CWE-22

Improper Limitation of a Pathname to a…

Vendor Advisory

forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8963