Ivanti has disclosed a second vulnerability, CVE-2024-8963, affecting its Cloud Services Appliance (CSA), which has been exploited in attacks. This comes after a high-severity flaw, CVE-2024-8190, was announced earlier in September. While CVE-2024-8190 allows for OS command injection and remote code execution with admin privileges, CVE-2024-8963 is a critical path traversal issue enabling unauthorized access to restricted functions. When combined, these vulnerabilities let attackers bypass admin authentication. Ivanti has patched these flaws, and federal agencies are required to address them by October 10.