Pierluigi Paganini August 19, 2024

Researchers at the Shadowserver Foundation observed an exploit attempt based on the public PoC for Ivanti vTM bug CVE-2024-7593.

Researchers at the Shadowserver Foundation observed an exploit attempt based on the public proof of concept (PoC) for the Ivanti vTM bug, CVE-2024-7593.

In Mid-August, Ivanti addressed a critical authentication bypass vulnerability, tracked as CVE-2024-7593 (CVSS score of 9.8), impacting Virtual Traffic Manager (vTM) appliances that can allow attackers to create rogue administrator accounts.

Ivanti vTM (Virtual Traffic Manager) is a software-based traffic management solution designed to optimize and secure application delivery.

“Successful exploitation could lead to authentication bypass and creation of an administrator user.” reads the advisory published by the software firm. “Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. “

The vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on the Internet-facing vTM admin console.

The company addressed the flaw with the patch 22.2R1 (released 26 March 2024) or 22.7R2 (released 20 May 2024). The company explained that customers who have pointed their management interface to a private IP and restricted access can address the issue at their earliest convenience.

At the time of the disclosure, Ivanti stated that it is unaware of attacks exploiting this flaw in the wild, however it is aware of the public availability of Proof of Concept exploit code.

“We are not aware of any customers being exploited by this vulnerability at the time of disclosure. However, a Proof of Concept is publicly available, and we urge customers to upgrade to the latest patched version ” continues the advisory.

To limit the exploitability of this vulnerability, Ivanti recommends limiting Admin Access to the Management Interface internal to the network through the private / corporate network.

The researchers at Shadowserver Foundation found only 31 Ivanti vTM devices exposed on the Internet as of 2024-08-17. Most of the devices are in the United States (14), followed by the UK (5), Bahrain (3) and Canada (3), however, they have observed an exploit attempt based on the public PoC.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Ivanti vTM)