The vendor disclosed that a ‘limited’ number of customers have been attacked through exploits of the flaw affecting its Cloud Service Appliance.

Ivanti disclosed Thursday it’s aware of attacks against some customers through exploitation of a newly discovered, critical-severity vulnerability affecting its Cloud Service Appliance (CSA) gateway.

It’s the second flaw in Ivanti’s CSA gateway that has seen exploits by threat actors over the past week.

[Related: Network Security Devices Are The Front Door To An IT Environment, But Are They Under Lock And Key?]

The vulnerability (tracked at CVE-2024-8963) was “incidentally” already fixed in an update released Sept. 10 by Ivanti. The flaw affects CSA version 4.6, which is no longer supported by Ivanti.

“We are aware of a limited number of customers who have been exploited by this vulnerability,” the vendor said in its advisory.

If a threat actor utilizes the vulnerability in conjunction with the CSA flaw disclosed last week—a high-severity vulnerability tracked at CVE-2024-8190—“an attacker can bypass admin authentication and execute arbitrary commands on the appliance,” Ivanti said.

Like with the previous vulnerability, the critical CSA flaw impacts all versions of the appliance prior to the Sept. 10 update, known as patch 519.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory Thursday on the newly discovered CSA vulnerability, noting that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

CRN has reached out to Ivanti for comment.

The vulnerability has received a “critical” severity rating of 9.4 out of 10.0.

Ivanti CSA 4.6 is considered “end of life,” meaning that it “no longer receives patches for OS or third-party libraries,” the company said.

“Customers must upgrade to Ivanti CSA 5.0 for continued support,” the company said in its disclosure, noting that CSA 5.0 is the “only supported version” of the appliance.

While the critical vulnerability was already addressed in the Sept. 10 update, Ivanti said that it actually only discovered the issue on Sept. 13 while investigating the exploitation of the prior, high-severity vulnerability in CSA.

“As we were evaluating the root cause of this [critical] vulnerability, we discovered that the issue had been incidentally addressed with some of the functionality removal that had been included in patch 519,” the vendor said in its advisory.