CVE-2024-7593, a critical authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM) appliances, is actively exploited by attackers.
The confirmation comes from the Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw to its Known Exploited Vulnerabilities catalog, thus mandating all US federal civilian executive branch agencies to remediate it by October 15, 2024.
About CVE-2024-7593
Ivanti Virtual Traffic Manager is a software-based application delivery controller and load balancing solution. It includes a web-based administration interface through which traffic across Ivanti Virtual Traffic Manager clusters can be monitored.
CVE-2024-7593 stems from the incorrect implementation of an authentication algorithm in Ivanti vTM versions older than versions 22.2R1, 22.3R3, 22.5R2, 22.6R2 or 22.7R2.
As the company confirmed on August 12, the vulnerability may allow a remote unauthenticated attacker to bypass authentication of the admin panel and to create an admin user.
“This vulnerability is accessible over the management interface. To limit exploitability of this vulnerability, it is industry best practice and advised by Ivanti to limit Admin Access to the Management Interface internal to the network through the private / corporate network,” they added.
At the time, Ivanti confirmed the public availability of proof-of-concept exploit code, but said that they were not aware of customers being targeted via this vulnerability.
What to do?
Ivanti devices – VPN appliances, gateways, and Cloud Services Appliances – have lately been targeted by attackers wielding zero and n-day vulnerabilities, pushing the company to improve security practices and accelerate security initiatives.
After Ivanti’s release of the last patches on August 19, Censys searched for internet-exposed Ivanti vTM devices and found 97 of them.
Admins are urged to upgrade to fixed vTM versions and/or to limit access to the management interface, and to review the “Audit Logs Output” for specific indicators of new admin users having been added via the GUI or by exploit code.