Ivanti Virtual Traffic Manager (vTM) Authentication Bypass [CVE-2024-7593]
Date of Disclosure: August 12, 2024
CVE-ID and CVSS Score: CVE-2024-7593: CVSS 9.8 (assigned by Ivanti)
Asset Description: Ivanti Virtual Traffic Manager (vTM) is a software application used to manage and optimize the delivery of applications across networks. This vulnerability affects versions 22.2 to 22.2R1 and 22.3 to 22.3R1.
Vulnerability Impact: The vulnerability allows a remote unauthenticated attacker to bypass the authentication of the admin panel and create a new admin user, potentially leading to unauthorized access and control over the affected system.
Exploitation Details: A public PoC is available for this vulnerability. The flaw is due to an incorrect implementation of an authentication algorithm, which can be exploited by attackers to gain unauthorized access. Ivanti has stated that they “are not aware of any customers being exploited by this vulnerability at the time of disclosure. However, a Proof of Concept is publicly available, and we urge customers to upgrade to the latest patched version.”
Patch Availability: Ivanti has released patches for versions 22.2 and 22.7R1 so far, with plans to release patches for all versions by the week of August 19 (this week, at the time of writing). Below is the table provided in their advisory with the scheduled patch rollout for all versions.
| Product Name | Affected Version(s) | Resolved Version(s) | Patch Availability |
|---|---|---|---|
| Ivanti Virtual Traffic Manager | 22.2 | 22.2R1 | Available |
| Ivanti Virtual Traffic Manager | 22.3 | 22.3R3 | Week of August 19th |
| Ivanti Virtual Traffic Manager | 22.3R2 | 22.3R3 | Week of August 19th |
| Ivanti Virtual Traffic Manager | 22.5R1 | 22.5R2 | Week of August 19th |
| Ivanti Virtual Traffic Manager | 22.6R1 | 22.6R2 | Week of August 19th |
| Ivanti Virtual Traffic Manager | 22.7R1 | 22.7R2 | Available |
Censys Perspective:
- At the time of writing, Censys observes 97 exposed devices online.
- In line with our policy, we do not disclose Censys queries for Rapid Response in public advisories when our data indicates 100 or fewer affected devices, to avoid providing directly actionable targets to threat actors.
References: