CISA Orders Removal of End-of-Life Ivanti CSA After Active Exploitation
CISA warned that Ivanti Cloud Services Appliance (CSA) was being actively targeted and directed federal civilian agencies to either upgrade to a supported version or remove end-of-life devices from their networks. The order followed Ivanti’s release of a security update for CSA addressing CVE-2024-8190, while CISA said unsupported appliances posed heightened risk because they no longer receive security fixes and were being hit in multiple attacks.
The action came amid broader concern over Ivanti appliance compromises, after earlier emergency guidance and vendor recovery steps tied to CVE-2023-46805 and CVE-2024-21887 showed how attackers could gain access and require full remediation measures. Together, the advisories underscored a continuing pattern in which internet-facing Ivanti appliances became high-priority targets, prompting agencies and enterprises to patch supported systems quickly and retire obsolete deployments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to upgrade or remove end-of-life Ivanti appliance
Following multiple attacks involving an end-of-life Ivanti product, CISA directed federal civilian agencies to either upgrade the affected appliance to a supported version or remove it from networks. The order reflected escalating concern over continued exploitation risk.
Ivanti releases security update for Cloud Services Appliance
Ivanti released a security update for its Cloud Services Appliance to address CVE-2024-8190. CISA issued an alert the same day urging organizations to review Ivanti's advisory and apply the update.
Ivanti publishes CSA advisory for CVE-2024-8190
Ivanti published a security advisory for Cloud Services Appliance vulnerability CVE-2024-8190, documenting the issue and vendor guidance for customers. The advisory formalized details around the flaw and remediation steps.
Ivanti publishes recovery steps for exploited Connect Secure flaws
Ivanti published recovery guidance related to CVE-2023-46805 and CVE-2024-21887, indicating active response measures for affected appliances. The guidance focused on recovery actions for customers impacted by the vulnerabilities.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190)
forums.ivanti.com
Open sourceMultiple attacks force CISA to order agencies to upgrade or remove end-of-life Ivanti appliance | The Record from Recorded Future News
therecord.media
Open sourceIvanti Releases Security Update for Cloud Services Appliance | CISA
cisa.gov
Open sourceRecovery Steps Related to CVE-2023-46805 and CVE-2024-21887
forums.ivanti.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Orders Hunt for Cisco Device Compromise as New Exploited CVEs Mount
CISA issued **Emergency Directive 25-03** ordering federal civilian agencies to identify and mitigate potential compromise of Cisco devices, then followed with supplemental guidance covering core-dump collection and threat-hunting steps. The directive indicates concern that Cisco infrastructure may already have been breached and requires agencies to validate device integrity, investigate for signs of compromise, and take remediation actions to reduce ongoing risk. At the same time, CISA continued expanding its **Known Exploited Vulnerabilities** catalog with numerous newly listed flaws, including `CVE-2026-33634`, `CVE-2026-5281`, `CVE-2026-32201`, `CVE-2026-3502`, `CVE-2026-33017`, `CVE-2026-20131`, `CVE-2026-3909`, `CVE-2026-1603`, `CVE-2026-21385`, `CVE-2026-22719`, `CVE-2026-2441`, and `CVE-2026-1281`, alongside older but still exploited issues such as `CVE-2025-40551`, `CVE-2025-20393`, `CVE-2025-15556`, `CVE-2024-43468`, `CVE-2023-48788`, `CVE-2021-44529`, and `CVE-2021-39935`. The combined actions show U.S. authorities escalating warnings that active exploitation is broadening across enterprise technologies, with network appliances, email platforms, and internet-facing systems remaining priority targets for defenders.
May 25, 2026
Multiple Security Advisories for Enterprise and Industrial Products
Several major vendors, including Dell, IBM, and CISA, have released security advisories addressing vulnerabilities in a wide range of enterprise and industrial control system products. Dell's advisories cover critical updates for products such as APEX Cloud Platform for Red Hat OpenShift, Enterprise SONiC Distribution, NetWorker, PowerSwitch models, and iDRAC controllers, urging administrators to apply patches to mitigate potential risks. IBM has similarly published advisories for multiple products, while CISA has issued alerts for vulnerabilities in industrial control systems from vendors like ABB, Advantech, Delta Electronics, Fuji Electric, IDIS, Radiometrics, Survision, and Ubia, recommending prompt mitigation and updates. In addition to these broad advisories, a critical denial-of-service vulnerability (CVE-2024-20399) was identified in Cisco's Identity Services Engine (ISE), which could allow unauthenticated attackers to crash network access control systems by exploiting the RADIUS protocol. Cisco has provided both temporary and permanent mitigation steps for affected versions. Separately, CISA added a Samsung Mobile Devices out-of-bounds write vulnerability (CVE-2025-21042) to its Known Exploited Vulnerabilities Catalog, highlighting the ongoing risk posed by actively exploited flaws and urging organizations to prioritize remediation to protect against cyber threats.
Mar 21, 2026
CISA Flags Actively Exploited Ivanti Endpoint Manager Authentication Bypass (CVE-2026-1603)
**CISA added Ivanti Endpoint Manager (EPM) vulnerability `CVE-2026-1603` to the Known Exploited Vulnerabilities (KEV) catalog**, warning it is being actively exploited and directing U.S. federal agencies to remediate within mandated timelines. The flaw is described as an **authentication bypass** (CWE-288) that allows **remote, unauthenticated** attackers to access and **steal sensitive stored credential data**, creating elevated risk because EPM is commonly used as a central platform for managing large endpoint fleets. Ivanti addressed `CVE-2026-1603` in **Ivanti EPM 2024 SU5**; reporting indicates the same release also fixed an **SQL injection** issue that could allow authenticated attackers to read arbitrary database data. Public reporting notes CISA did not provide detailed exploitation telemetry, and Ivanti stated it was not aware of customer exploitation prior to public disclosure; external monitoring cited **700+ internet-facing EPM instances** observed by Shadowserver, underscoring potential exposure where systems remain unpatched.
Mar 21, 2026