Ivanti Alerts Customers to Patch Critical Authentication Bypass Vulnerability in Virtual Traffic Manager

August 13, 2024

Ivanti has called on customers to patch a severe authentication bypass vulnerability that affects its Virtual Traffic Manager (vTM) appliances. The vulnerability could allow attackers to create unauthorized administrator accounts. Ivanti's vTM is an application delivery controller (ADC) that is software-based, providing app-focused traffic management and load balancing for hosting vital services. The vulnerability, identified as CVE-2024-7593, is a result of an incorrect implementation of an authentication algorithm that enables remote, unauthenticated attackers to bypass authentication on vTM admin panels that are exposed to the internet.

"Ivanti released updates for Ivanti Virtual Traffic Manager (vTM) which addressed a critical vulnerability. Successful exploitation could lead to authentication bypass and creation of an administrator user," the company cautioned on Tuesday. While Ivanti is not currently aware of any customers who have been exploited by this vulnerability, a Proof of Concept is publicly available, and the company is urging customers to upgrade to the latest patched version.

To mitigate the risk of potential exploitation, Ivanti is advising admins to limit access to the vTM management interface by binding it to an internal network or private IP address. This will reduce the attack surface. The security flaw has been addressed in Ivanti vTM 22.2R1 and 22.7R2, with patches for the remaining supported versions to be released over the coming weeks.

Although Ivanti has no evidence that the CVE-2024-7593 authentication bypass has been exploited, it is advising admins to check the Audit Logs Output for new 'user1' or 'user2' admin users added via the GUI or using the publicly available exploit code. Ivanti also warned admins to promptly patch an information disclosure vulnerability (CVE-2024-7569) in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier. This vulnerability could allow unauthenticated attackers to obtain the OIDC client secret via debug information.

In February, the company patched another authentication bypass flaw (CVE-2024-22024) affecting Ivanti Connect Secure, Policy Secure, and ZTA gateways. Ivanti urged admins to secure vulnerable appliances immediately. Since December 2023, Ivanti VPN appliances have been under attack using exploits that chain the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection flaws as zero days. Ivanti also warned of a third zero-day (a server-side request forgery bug tracked as CVE-2024-21893) under mass exploitation in February, allowing threat actors to bypass authentication on unpatched ICS, IPS, and ZTA gateways.

Related News

• CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities
• CISA Confirms Data Breach in Chemical Security Assessment Tool: Potential Exposure of Sensitive Information
• MITRE Corporation Cyber Attack: Hackers Utilize Rogue VMs to Evade Detection
• Mirai Botnet Exploits Ivanti Connect Secure Vulnerabilities
• China-Linked Cyber Espionage Targets MITRE Network: ROOTROT Webshell Exploited

Latest News

• High-Severity OpenSSH Vulnerability in FreeBSD Addressed with Urgent Patch
• Microsoft Identifies Four Security Vulnerabilities in OpenVPN Software
• AMD Warns of High-Severity CPU Vulnerability 'SinkClose'
• Unpatched Office Zero-Day Vulnerability Disclosed by Microsoft
• Unpatched Microsoft Office Flaw Could Expose NTLM Hashes