A critical vulnerability in Ivanti Virtual Traffic Manager (vTM) was added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity & Infrastructure Security Agency (CISA) on Tuesday.
Ivanti vTM is an application delivery controller (ADC) software designed to balance and manage incoming traffic to web applications. The vulnerability, tracked as CVE-2024-7593, was disclosed in an Ivanti security advisory published Aug. 12, and has a CVSS score of 9.8.
The flaw exists in the implementation of the authentication algorithm in all Ivanti vTM versions released prior to March 26. Attackers can exploit this flaw to remotely bypass authentication and create new admin users through an internet-exposed vTM management interface.
By the time the flaw was first disclosed, proof-of-concept (PoC) exploit code had already been published online. The first versions of Ivanti vTM that resolved CVE-2024-7593 were 22.2R1, released March 26, and 22.7R2, released May 20. The other patched versions, 22.3R3, 22.5R2 and 22.6R2, were released on Aug. 19.
No patches are available for vTM versions that had already reached their End of Support date by Aug. 12.
How to mitigate Ivanti vTM flaw CVE-2024-7593, detect exploits
With its addition to the KEV catalog, federal civilian executive branch (FCEB) agencies are required to remediate CVE-2024-7593 or remove vulnerable assets from their network by Oct. 15.
While the main solution recommended by Ivanti is upgrading to resolved versions, users can also mitigate the vulnerability by restricting access to the vTM management interface by binding access to trusted IP addresses.
Ivanti provides instructions for restricting access through the security settings found under the “System” tab on the vTM server interface. Users should select the trusted IP address within their private network through the “bindip” dropdown menu under the “Management IP Address and Admin Server Port” section of their security settings.
Users can also check whether their instance has been compromised by looking for the addition of rogue admin users in their Audit Logs Output. Ivanti provides examples of users added through normal means and users added using the known exploit code. When a user is added through the exploit code, the user, group, auth and IP parameters in the Audit Logs Output entry will be listed as absent.
The Shadowserver Foundation began tracking internet-exposed Ivanti vTM instances, regardless of patching status, in mid-August, and only discovered 31 exposed instances as of Aug. 17. However, they observed an exploit attempt based on the available PoC on Aug. 18, according to a post on X.
As of Sept. 24, only 21 internet-exposed instances were detected, according to Shadowserver’s time series dashboard.
Ivanti vulnerabilities are frequently targeted by threat actors, with 20 vulnerabilities in Ivanti products listed in the KEV catalog as of Wednesday.
Earlier this month, two flaws in the Ivanti Cloud Service Appliance, tracked as CVE-2024-8190 and CVE-2024-8963 were also added to the KEV catalog. Ivanti also patched a critical vulnerability in its Endpoint Management software, tracked as CVE-2024-29847, which has a maximum CVSS score of 10, on Sept. 10.