Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious security vulnerability affecting Ivanti Virtual Traffic Manager (vTM) to its Known Exploited Vulnerabilities (KEV) catalog, following indications of active exploitation in the wild. The vulnerability, identified as CVE-2024-7593, has a CVSS score of 9.8 and allows a remote, unauthenticated attacker to circumvent the authentication process of the admin panel, potentially enabling the creation of unauthorized administrative accounts.
CISA noted, “Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.” This alarming flaw poses a significant risk to organizations relying on the affected software for traffic management.
In August 2024, Ivanti issued patches to address this vulnerability in versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, and 22.7R2. Despite the availability of these updates, the agency has not provided specific insights into how this vulnerability is being exploited or potential attackers behind these activities. However, Ivanti has acknowledged that a proof-of-concept (PoC) for the vulnerability is openly available, which could further facilitate exploitation
As a response to the heightened risk, federal agencies classified under the Federal Civilian Executive Branch (FCEB) must remediate this discovered vulnerability by October 15, 2024, in order to protect their networks against possible intrusions. This development comes at a critical time, as numerous vulnerabilities affecting Ivanti products, including CVE-2024-8190 and CVE-2024-8963, have been noted for active exploitation recently.
Ivanti has disclosed awareness of targeted attacks against a “limited number of customers” related to these vulnerabilities. Data compiled by Censys indicates there are currently 2,017 exposed Ivanti Cloud Service Appliance (CSA) instances online, primarily within the United States. The extent of susceptibility among these instances remains unclear, amplifying the urgency for organizations to assess their defenses.
This incident underscores the pressing need for organizations to implement robust security measures, including regular vulnerability assessments and timely software updates, to mitigate risks associated with known vulnerabilities. In terms of potential tactics, techniques, and procedures (TTPs) as outlined in the MITRE ATT&CK framework, attackers may have utilized methods related to initial access through exploitation of the identified vulnerability, followed by privilege escalation through the creation of unauthorized accounts.
A continued focus on cybersecurity resilience is imperative for business owners as the threat landscape evolves. The current incident serves as a poignant reminder of the vulnerabilities inherent in widely used software and the critical need for proactive risk management strategies.
