A critical authentication bypass vulnerability in Ivanti Virtual Traffic Manager (vTM) has now been exploited by threat actors in the wild, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
CISA added the bug to its long list of Known Exploited Vulnerabilities (KEV) on September 24, with federal agencies given until October 15 to patch it. However, Ivanti has yet to update its security advisory to reflect the new information.
The advisory, first published on August 12 and last modified on September 4, states: “We are not aware of any customers being exploited by this vulnerability at the time of disclosure. However, a Proof of Concept is publicly available, and we urge customers to upgrade to the latest patched version.”
It appears that those concerns have now been realized, although it’s unclear how widespread exploitation is. CISA said it is also currently unknown whether the flaw is being used in ransomware attacks.
Read more on Ivanti vulnerabilities: Ivanti Zero-Days Exploited by Multiple Actors Globally
The vulnerability in question, CVE-2024-7593, is given a CVSS score of 9.8, reflecting the fact it could enable authentication bypass and the creation of a new user with admin rights.
“Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel,” the description read.
As well as patching the bug, Ivanti provided advice for customers on how to limit exploitability.
“Customers who have ensured their management interface is bound to an internal network or private IP address have significantly reduced their attack surface,” it noted. “It is industry best practice and advised by Ivanti in the network configuration guidance to restrict access to the management interface.”
Ivanti products are perennially targeted by threat actors, often as zero-days, especially in its gateway and VPN appliances and mobile device management software.
In just the first month of 2024, the vendor released patches for four vulnerabilities, two of which were exploited as zero-days by Chinese threat actors.