Critical Ivanti vTM Bug Allows Unauthorized Admin Access

The CVSS 9.8 authentication bypass in Ivantis traffic manager admin panel already has a proof-of-concept (PoC) exploit lurking in the wild.

Ivanti has patched another major vulnerability, this time affecting its Virtual Traffic Manager (vTM).
Ivanti vTM is an application delivery controller (ADC) within its vADC (Virtual Application Delivery Controller) product line, which focuses on application traffic management and load balancing.
The issue with it, according to a newly published
security advisory
, has to do with an incorrect implementation of an authentication algorithm. Remote, unauthorized entities could take advantage of the poor implementation to bypass authentication entirely, access the vTMs admin panel, and create an administrator account for their pleasure.
This opens the door to various malicious activities, such as data theft, service interruptions, and compromise of sensitive systems, explains Patrick Tiquet, vice president of security and architecture at Keeper Security. Moreover, the ability to bypass authentication can facilitate further exploitation of the network, amplifying the impact of the initial breach.
Such risks have earned this authentication bypass bug, labeled CVE-2024-7593, a critical 9.8 out of 10 score on the Common Vulnerability Scoring System (CVSS) ratings scale.
Ivanti has not observed any customers being attacked via CVE-2024-7593, but did note that a proof-of-concept (PoC) exploit is publicly available.
Dark Reading discovered a vADC exploit on the Exploit Database (Exploit-DB), uploaded on Aug. 4 by the user ohnoisploited. In response to an inquiry, Ivanti reported that this was not the PoC it was referring to in its advisory.
No other organization has experienced such frequent and public security lapses as Ivanti has this year.
It started with
a couple of major zero-day vulnerabilities
, then came
more
, and
more
, and
more still
. Plenty of
hackers have taken advantage
— even, in some cases,
after victims already patched
— and plenty of
organizations have been disrupted
along the way.
As with most of these cases, dutiful patching is the best remedy. vTM versions 22.2R1 (from March 26) and 22.7R2 (May 20) are secure against CVE-2024-7593, and more patched versions (22.3R3, 22.5R2, and 22.6R2) are expected to roll out Monday. Patches can be found via
Ivantis standard portal
.
Besides patching, organizations can adjust their vTM settings to expose its management panel only to internal, trusted IP addresses. If customers do not have their management interface exposed to a public IP address they have significantly reduced their attack surface, an Ivanti spokesperson wrote in an email. It is industry best practice and advised by Ivanti in the network configuration guidance to restrict access to the management interface.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Critical Ivanti vTM Bug Allows Unauthorized Admin Access