OS Command Injection RCE in Ivanti Cloud Services Appliance
CVE-2024-8190 is an OS command injection vulnerability in Ivanti Cloud Services Appliance (CSA) version 4.6 Patch 518 and earlier. According to the provided content, the flaw allows a remote authenticated attacker with administrator-level privileges to inject operating system commands and achieve remote code execution on the appliance. The issue was later described in reporting as part of attack chains involving other Ivanti CSA vulnerabilities, particularly CVE-2024-8963, which can provide the administrative access needed to reach the vulnerable functionality.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository provides a proof-of-concept (PoC) exploit for chaining CVE-2024-8963 (path traversal) and CVE-2024-8190 (OS command injection) to achieve unauthenticated remote code execution (RCE) on Ivanti Cloud Services Appliance (CSA) version 4.6 and below. The main exploit script, 'cve-2024-8190.py', is a Python tool that targets the vulnerable '/client/index.php%3F.php/gsb/datetime.php' endpoint, bypassing authentication by leveraging the path traversal flaw. It extracts a CSRF token from the response and then submits a POST request with a crafted 'TIMEZONE' parameter containing the attacker's command, resulting in arbitrary command execution on the target system. The README provides usage instructions and a demonstration, including out-of-band verification via ICMP (ping). Additionally, the repository includes a markdown file ('invanti-c2-in-the-wild.md') describing a real-world attacker backdoor that leverages similar vulnerabilities for persistence, credential theft, and data exfiltration via the database. The exploit is a functional PoC, not weaponized, and is intended for authorized testing and research purposes only.
This repository contains a proof-of-concept exploit for CVE-2024-8190, targeting Ivanti Cloud Service Appliance (CSA) devices. The main file, CVE-2024-8190.py, is a Python script that performs an authenticated command injection attack. The exploit works by first authenticating to the target device using provided credentials, then retrieving a CSRF token from the /gsb/datetime.php endpoint. It crafts a POST request to the same endpoint, injecting an arbitrary command into the TIMEZONE parameter, which is then executed on the target system. The script requires the attacker to supply the target URL, a valid username and password, and the command to execute. The README.md provides usage instructions and background information. No hardcoded IPs or domains are present; the script is designed to be used against user-specified targets. The exploit is a functional proof-of-concept and does not include advanced features such as output retrieval or post-exploitation modules.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A zero-day vulnerability in Ivanti Cloud Services Appliance (CSA) devices exploited by Chinese threat actors (Houken/UNC5174) to obtain credentials and establish persistence, including via web shells and rootkits.
A zero-day vulnerability in Ivanti Cloud Services Appliance devices that was exploited in the wild by China-linked threat actors to gain initial access, conduct remote code execution, obtain credentials, and implant webshells on victim networks.
A zero-day vulnerability in Ivanti Cloud Service Appliance (CSA) exploited as part of the Houken/UNC5174 intrusion campaign impacting French government and other sectors.
A critical Ivanti vulnerability used for initial access in the PurpleHaze intrusions; described (along with CVE-2024-8963) as enabling admin authentication bypass and OS command execution when chained.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.