CVE-2024-9379 — Ivanti Cloud Services Appliance (CSA)

Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability

Added to KEV

2024-10-09

Federal due date

2024-10-30

Vendor

Ivanti

Product

Cloud Services Appliance (CSA)

EPSS

99.1th percentile (score 0.793, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Unknown

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2024-9379

CISA short description

Ivanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.

Required action

As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.