Login Sign Up

CVE-2024-9379

6.5 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Ivanti CSA's admin web console allows authenticated administrators to execute arbitrary SQL statements. It affects Ivanti CSA versions before 5.0.2. Attackers with admin credentials could potentially access, modify, or delete sensitive database information.

💻 Affected Systems

Products:
  • Ivanti Cloud Services Appliance (CSA)
Versions: All versions before 5.0.2
Operating Systems: Linux-based appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin-level authentication to the web console; CSA appliances are typically deployed as virtual appliances.

📦 What is this software?

Endpoint Manager Cloud Services Appliance by Ivanti

View all CVEs affecting Endpoint Manager Cloud Services Appliance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including exfiltration of all stored credentials, configuration data, and sensitive information; potential for privilege escalation to underlying operating system.

🟠

Likely Case

Data theft or manipulation of CSA configuration and user data, potentially enabling further attacks within the environment.

🟢

If Mitigated

Limited impact due to proper access controls, network segmentation, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials but SQL injection techniques are well-understood and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.2

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381

Restart Required: Yes

Instructions:

1. Download CSA 5.0.2 from Ivanti support portal. 2. Backup current configuration. 3. Apply the update through the admin console. 4. Restart the appliance as prompted.

🔧 Temporary Workarounds

Restrict Admin Console Access

all

Limit access to the admin web console to only trusted IP addresses/networks

Configure firewall rules to restrict access to CSA admin port (typically 443)

Implement Web Application Firewall

all

Deploy WAF with SQL injection protection rules in front of CSA

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate CSA from sensitive systems
  • Enforce strong authentication and monitor admin account activity closely

🔍 How to Verify

Check if Vulnerable:

Check CSA version in admin console under System > About; versions below 5.0.2 are vulnerable

Check Version:

ssh admin@csa-host 'cat /etc/version' or check web interface

Verify Fix Applied:

Confirm version shows 5.0.2 or higher in admin console

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in CSA logs
  • Multiple failed login attempts followed by admin console access
  • Unexpected database operations

Network Indicators:

  • Unusual traffic patterns to CSA admin port
  • SQL error messages in HTTP responses

SIEM Query:

source="csa_logs" AND ("sql" OR "database" OR "query") AND severity=HIGH

📊 Metadata

CVE ID: CVE-2024-9379
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-89
Published: October 8, 2024
Last Updated: October 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9379, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)