A critical vulnerability has recently been discovered in Ivanti’s Virtual Traffic Manager (vTM), an application delivery controller (ADC) that provides traffic management and load balancing for critical business services.
The flaw, designated CVE-2024-7593, is due to an erroneous authentication algorithm that, when exploited, could allow threat actors to remotely bypass authentication requirements on exposed vTM appliances and create rogue administrator accounts.
So far, Ivanti hasn’t observed any exploitation of CVE-2024-7593 in the wild, but it is aware that at least one Proof-of-Concept (PoC) exploit is publicly available. Ivanti recommends that users upgrade affected vTMs to the latest version as soon as possible. Those who cannot upgrade unpatched vTM appliances should restrict access by hosting them on an internal network or private IP address.
Source: Bleeping Computer
Analysis
2024 continues to be a rough year for Ivanti. The company has struggled with vulnerabilities, some of them zero-day vulnerabilities, in many of its products. Making matters worse, nation-state actors often target these vulnerabilities to deploy various custom malware strains.
For example, Ivanti’s Connect Secure and Policy Secure gateways were the subject of the Cybersecurity and Infrastructure Security Agency’s (CISA) first emergency directive of 2024 that ordered federal agencies to secure the vulnerable gateways against zero-day flaws targeted in widespread attacks.
Despite Ivanti’s claim that it has not yet observed exploitation of CVE-2024-7593 in the wild, it’s likely only a matter of time before threat actors begin targeting unpatched appliances, especially considering at least one PoC exploit is publicly available.
As such, organizations must upgrade vulnerable appliances as soon as possible to deny threat actors this potential attack vector.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Ivanti’s vTM. Field Effect MDR users were automatically notified if a vulnerable version of vTM was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected vTM appliances update to the latest version as soon as possible, in accordance with the advisory. Field Effect also recommends that systems like vTM aren’t exposed to the open internet without proper controls like IP whitelisting and VPN requirements unless there is a legitimate business need to do so.
Although supposedly no vulnerable devices have been exploited yet, organizations may verify their security by ensuring the vTM Audit Logs Output does not contain any unauthorized administrator-level user accounts.
Related Articles
