Multiple attacks force CISA to order agencies to upgrade or remove end-of-life Ivanti appliance

The nation’s top cyber watchdogs urged federal agencies to either remove or upgrade an Ivanti appliance that is no longer being updated and has been exploited in attacks. 

The technology company updated an advisory on Friday warning that a “limited number of customers” were breached through the exploitation of CVE-2024-8190. 

The bug was announced on Tuesday and effects Ivanti’s Cloud Service Appliance (CSA) — a tool that provides secure communication over the internet and acts as a center point for managed devices and central consoles are connected. 

Exploitation of the bug, which the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Friday as well, gives hackers “access to the device running the CSA.”

The advisory notes that CSA 4.6 is end-of-life and “no longer receives patches for OS or third-party libraries.” 

“Additionally, with the end-of-life status this is the last fix that Ivanti will backport for this version. Customers must upgrade to Ivanti CSA 5.0 for continued support,” they said. “CSA 5.0 is the only supported version and does not contain this vulnerability. Customers already running Ivanti CSA 5.0 do not need to take any additional action.”

CISA ordered all federal civilian agencies to remove CSA 4.6. from service or upgrade to the 5.0. by October 4. 

Ivanti said users will know they are impacted by exploitation of the bug by looking to see if there are modified or newly added administrative users. They also urged customers to check security alerts if they have certain security tools involved. 

The issue arose one day after another Ivanti bug caused alarm among defenders. The company pledged a security overhaul in April after a cascade of headline-grabbing nation-state attacks broke through the systems of government agencies in the U.S. and Europe using vulnerabilities in Ivanti products.