Skip to content
New Ebook: Get your copy of the Unleash the Power of Censys Search Handbook today! | Download Now
Advisory

August 19, 2024 Advisory: Authentication Bypass in Ivanti vTM [CVE-2024-7593]

Ivanti Virtual Traffic Manager (vTM) Authentication Bypass [CVE-2024-7593]

Date of Disclosure: August 12, 2024

CVE-ID and CVSS Score: CVE-2024-7593: CVSS 9.8 (assigned by Ivanti)

Asset Description: Ivanti Virtual Traffic Manager (vTM) is a software application used to manage and optimize the delivery of applications across networks. This vulnerability affects versions 22.2 to 22.2R1 and 22.3 to 22.3R1.

Exposed Ivanti vTM interface, with indications of running vulnerable version 22.2

Vulnerability Impact: The vulnerability allows a remote unauthenticated attacker to bypass the authentication of the admin panel and create a new admin user, potentially leading to unauthorized access and control over the affected system.

Exploitation Details: A public PoC is available for this vulnerability. The flaw is due to an incorrect implementation of an authentication algorithm, which can be exploited by attackers to gain unauthorized access. Ivanti has stated that they “are not aware of any customers being exploited by this vulnerability at the time of disclosure. However, a Proof of Concept is publicly available, and we urge customers to upgrade to the latest patched version.”

Patch Availability: Ivanti has released patches for versions 22.2 and 22.7R1 so far, with plans to release patches for all versions by the week of August 19 (this week, at the time of writing). Below is the table provided in their advisory with the scheduled patch rollout for all versions.

Product Name Affected Version(s) Resolved Version(s) Patch Availability
Ivanti Virtual Traffic Manager 22.2 22.2R1 Available
Ivanti Virtual Traffic Manager 22.3 22.3R3 Week of August 19th
Ivanti Virtual Traffic Manager 22.3R2 22.3R3 Week of August 19th
Ivanti Virtual Traffic Manager 22.5R1 22.5R2 Week of August 19th
Ivanti Virtual Traffic Manager 22.6R1 22.6R2 Week of August 19th
Ivanti Virtual Traffic Manager 22.7R1 22.7R2 Available

Censys Perspective:

  • At the time of writing, Censys observes 97 exposed devices online.
  • In line with our policy, we do not disclose Censys queries for Rapid Response in public advisories when our data indicates 100 or fewer affected devices, to avoid providing directly actionable targets to threat actors.

References:

 

Attack Surface Management Solutions
Learn more