A newly discovered vulnerability in Ivanti's Virtual Traffic Manager (vTM) is being actively exploited, marking the third such flaw to receive a warning within two weeks. The critical authentication bypass vulnerability, tracked as CVE-2024-7593, allows remote attackers to create administrator accounts without authentication.
Ivanti released patches for this vulnerability on August 12, initially reporting no evidence of exploitation in the wild. However, the company later acknowledged the availability of a proof-of-concept (PoC) exploit. While no public reports of attacks have surfaced, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-7593 to its Known Exploited Vulnerabilities (KEV) Catalog.
Ivanti has provided patches and security recommendations, including indicators of compromise (IoCs), to help mitigate the risk of exploitation. However, the advisory has not yet confirmed any direct malicious activity related to this vulnerability.
Censys reported 97 internet-exposed Ivanti vTM instances, while ZoomEye identified 164, with most located in the United States and Japan. This flaw joins two other recent vulnerabilities, CVE-2024-8963 and CVE-2024-8190, which impact Ivanti’s Cloud Services Appliance (CSA) and have been used for unauthenticated remote code execution.
Exploits of Ivanti products are not uncommon, as CISA’s KEV Catalog currently lists 20 Ivanti vulnerabilities, some of which have been used in attacks against prominent organizations like MITRE and CISA.
