A critical authentication bypass vulnerability [1] [3] [4], known as CVE-2024-7593, has been identified in Ivanti’s Virtual Traffic Manager (vTM) appliances, with a CVSS score of 9.8 [2] [6] [7].
Description
This vulnerability arises from an incorrect implementation of an authentication algorithm in older versions of Ivanti vTM [4], allowing remote unauthenticated attackers to bypass authentication and create new admin accounts [2] [3] [4] [5]. Threat actors are actively exploiting this vulnerability, leading to its inclusion in the Known Exploited Vulnerabilities list by the US Cybersecurity and Infrastructure Security Agency (CISA) [2] [9]. Security researchers have disclosed a Metasploit module that automates exploitation [7], increasing the risk level [7]. Ivanti has released patches for all affected vTM versions in August, advising customers to update to the latest patched version and restrict access to the management interface to mitigate the risk [3]. Federal agencies are required to address this vulnerability by October 15, 2024. While no reported attacks exploiting this vulnerability have occurred [8], there is at least one publicly available Proof-of-Concept exploit for CVE-2024-7593. Ivanti products are frequently targeted by threat actors [3], prompting the vendor to issue patches for multiple vulnerabilities, including some that have been exploited as zero-days.
Conclusion
The exploitation of this vulnerability poses a significant risk to organizations using Ivanti vTM appliances. It is crucial for users to apply the provided patches and restrict access to mitigate the risk of unauthorized access. The proactive response from Ivanti and the disclosure of a Metasploit module highlight the importance of timely updates and security measures to protect against potential threats.
References
[1] https://cyber.vumetric.com/security-news/2024/09/25/ivanti-vtm-auth-bypass-flaw-exploited-in-attacks-cisa-warns-cve-2024-7593/
[2] https://thehackernews.com/2024/09/cisa-flags-critical-ivanti-vtm.html
[3] https://www.infosecurity-magazine.com/news/critical-ivanti-auth-bypass-bug/
[4] https://www.helpnetsecurity.com/2024/09/25/cve-2024-7593-exploited/
[5] https://www.darkreading.com/vulnerabilities-threats/cisa-adds-patched-ivanti-bug-kev-catalog
[6] https://cyber.vumetric.com/security-news/2024/09/25/cisa-flags-critical-ivanti-vtm-vulnerability-amid-active-exploitation-concerns/
[7] https://securityonline.info/cisa-warns-of-actively-exploited-ivanti-vtm-flaw-cve-2024-7593-cvss-9-8-poc-published/
[8] https://securityaffairs.com/168881/hacking/u-s-cisa-adds-ivanti-virtual-traffic-manager-flaw-known-exploited-vulnerabilities-catalog.html
[9] https://fieldeffect.com/blog/critical-vulnerability-in-ivanti-vtm-now-exploited