Path Traversal in Ivanti Csa (Cloud Services Appliance)
CVE-2024-8963
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.942 (99.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.4 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.
Affected products
- Ivanti Csa (Cloud Services Appliance) — versions 4.6 Patch 519, 5.0
Weakness classification (CWE)
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: As Ivanti CSA has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line of supported solutions, as future vulnerabilities on the 4.6.x version of CSA are unlikely to receive security updates.
Public proof-of-concept exploits
References
Frequently asked questions
- What is CVE-2024-8963?
- CVE-2024-8963 is a critical-severity vulnerability in Ivanti Csa (Cloud Services Appliance), classified under Path Traversal. CVSS score: 9.4/10. Published 2024-09-19.
- How severe is CVE-2024-8963?
- Critical severity. CVSS v3 base score is 9.4 out of 10.
- Is CVE-2024-8963 known to be exploited?
- Yes. CVE-2024-8963 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-09-19), indicating it is being actively exploited. 10 public proof-of-concept repositories are indexed.