Critical Ivanti vTM Bug Allows Unauthorized Admin Access

Ivanti has patched another major vulnerability, this time affecting its Virtual Traffic Manager (vTM).

Ivanti vTM is an application delivery controller (ADC) within its vADC (Virtual Application Delivery Controller) product line, which focuses on application traffic management and load balancing.

The issue with it, according to a newly published security advisory, has to do with an incorrect implementation of an authentication algorithm. Remote, unauthorized entities could take advantage of the poor implementation to bypass authentication entirely, access the vTM's admin panel, and create an administrator account for their pleasure.

"This opens the door to various malicious activities, such as data theft, service interruptions, and compromise of sensitive systems," explains Patrick Tiquet, vice president of security and architecture at Keeper Security. "Moreover, the ability to bypass authentication can facilitate further exploitation of the network, amplifying the impact of the initial breach."

Such risks have earned this authentication bypass bug, labeled CVE-2024-7593, a critical 9.8 out of 10 score on the Common Vulnerability Scoring System (CVSS) ratings scale.

Ivanti has not observed any customers being attacked via CVE-2024-7593, but did note that a proof-of-concept (PoC) exploit is publicly available.

Dark Reading discovered a vADC exploit on the Exploit Database (Exploit-DB), uploaded on Aug. 4 by the user "ohnoisploited." In response to an inquiry, Ivanti reported that this was not the PoC it was referring to in its advisory.

Ivanti Solution Already for All These Bugs

No other organization has experienced such frequent and public security lapses as Ivanti has this year.

It started with a couple of major zero-day vulnerabilities, then came more, and more, and more still. Plenty of hackers have taken advantage — even, in some cases, after victims already patched — and plenty of organizations have been disrupted along the way.

As with most of these cases, dutiful patching is the best remedy. vTM versions 22.2R1 (from March 26) and 22.7R2 (May 20) are secure against CVE-2024-7593, and more patched versions (22.3R3, 22.5R2, and 22.6R2) are expected to roll out Monday. Patches can be found via Ivanti's standard portal.

Besides patching, organizations can adjust their vTM settings to expose its management panel only to internal, trusted IP addresses. "If customers do not have their management interface exposed to a public IP address they have significantly reduced their attack surface," an Ivanti spokesperson wrote in an email. "It is industry best practice and advised by Ivanti in the network configuration guidance to restrict access to the management interface."