Critical Ivanti vTM Authentication Bypass Vulnerability Now Actively Exploited

September 24, 2024

A critical security vulnerability in Ivanti's Virtual Traffic Manager (vTM) software, tracked as CVE-2024-7593, is currently being exploited by threat actors. This flaw, an authentication bypass bug, is due to an incorrect implementation of an authentication algorithm. It allows remote, unauthenticated attackers to bypass the authentication process on internet-facing vTM admin panels.

Ivanti's vTM is an application delivery controller (ADC) that offers load balancing and traffic management for hosting business-critical services. The company has warned that successful exploitation of this vulnerability could lead to authentication bypass and the creation of an unauthorized administrator user.

While Ivanti released patches for CVE-2024-7593 and stated that proof-of-concept (PoC) exploit code was available as of August 13, it has not yet updated its security advisory to confirm active exploitation. The company suggested checking Audit Logs Output for new 'user1' or 'user2' admin users added via the GUI or the publicly available exploit code as potential evidence of compromise.

To minimize potential attack attempts and reduce the attack surface, Ivanti has advised administrators to limit access to the vTM management interface by binding it to an internal network or a private IP address.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the Ivanti vTM authentication bypass flaw to its Known Exploited Vulnerabilities catalog on Tuesday, indicating that it is actively being exploited. In compliance with Binding Operational Directive (BOD) 22-01, federal agencies are now required to secure vulnerable appliances on their networks by October 15. While CISA's KEV catalog primarily alerts federal agencies about vulnerabilities they need to patch urgently, private organizations worldwide are also advised to prioritize mitigating this security flaw to prevent ongoing attacks.

Over the past few months, several Ivanti vulnerabilities have been exploited as zero-days in widespread attacks targeting the company's VPN appliances and ICS, IPS, and ZTA gateways. Ivanti also warned earlier this month that threat actors are chaining two recently patched Cloud Services Appliance (CSA) vulnerabilities in ongoing attacks. In response to these attacks, Ivanti stated in September that it has enhanced its internal scanning and testing capabilities and is currently working on improving its responsible disclosure process to address potential security issues more swiftly.

Related News

• Ivanti vTM Bug Exploit Attempts Detected, Experts Warn
• Ivanti Alerts Customers to Patch Critical Authentication Bypass Vulnerability in Virtual Traffic Manager

Latest News

• Twelve Hacktivist Group Resurfaces, Targets Russian Entities
• China's 'Earth Baxia' Cyber Espionage Group Targets APAC via GeoServer Exploitation
• Iranian APT UNC1860, Linked to MOIS, Plays Key Role in Cyber Intrusions in Middle East
• Ivanti Cloud Services Appliance Vulnerability Added to CISA's Known Exploited Vulnerabilities Catalog
• Critical CSA Vulnerability Exploited in Attacks: Ivanti Issues Warning