Login Sign Up

CVE-2024-9380

7.2 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ivanti CSA's admin web console that allows authenticated administrators to execute arbitrary commands on the underlying system. Attackers with admin access can achieve remote code execution, potentially compromising the entire appliance. Organizations running Ivanti CSA versions before 5.0.2 are affected.

💻 Affected Systems

Products:
  • Ivanti Cloud Services Appliance (CSA)
Versions: All versions before 5.0.2
Operating Systems: Linux-based appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated admin access to the web console.

📦 What is this software?

Endpoint Manager Cloud Services Appliance by Ivanti

View all CVEs affecting Endpoint Manager Cloud Services Appliance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the CSA appliance, lateral movement to connected systems, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthorized administrative access leading to configuration changes, credential theft, and installation of malware on the appliance.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.2

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download CSA 5.0.2 from Ivanti portal. 3. Apply update via admin console. 4. Restart appliance. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit administrative access to trusted IP addresses only

Configure firewall rules to restrict access to CSA admin interface from specific IP ranges

Network Segmentation

all

Isolate CSA appliance from critical systems

Implement VLAN segmentation and firewall rules to limit CSA network communication

🧯 If You Can't Patch

  • Implement strict network access controls to CSA admin interface
  • Enable detailed logging and monitoring for suspicious admin activities

🔍 How to Verify

Check if Vulnerable:

Check CSA version in admin console under System > About

Check Version:

ssh admin@csa-hostname 'cat /etc/ivanti-release'

Verify Fix Applied:

Verify version shows 5.0.2 or later in admin console

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns in CSA logs
  • Multiple failed login attempts followed by successful admin login
  • Suspicious process creation from web console

Network Indicators:

  • Unusual outbound connections from CSA appliance
  • Traffic to unexpected ports from CSA

SIEM Query:

source="csa_logs" AND (event_type="command_execution" OR user="admin") AND command="*;*" OR command="*|*" OR command="*`*"

📊 Metadata

CVE ID: CVE-2024-9380
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: October 8, 2024
Last Updated: October 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9380, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)