cbcvebase.
CVE-2024-7593
published 2024-08-13

CVE-2024-7593: Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-15
Exploited in the wild
EPSS
99.99%
100.0th percentile
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

Affected

6 ranges
VendorProductVersion rangeFixed in
ivantivirtual_traffic_manager
ivantivirtual_traffic_manager
ivantivirtual_traffic_manager
ivantivirtual_traffic_manager
ivantivirtual_traffic_manager
ivantivirtual_traffic_manager

Detection & IOCsextracted from sources · hover to see the quote

url/apps/zxtm/wizard.fcgi?error=1§ion=Access+Management%3ALocalUsers
url/apps/zxtm/login.cgi
path/apps/zxtm/
cookieZeusTMZAUTH=
cookieZeusTMZAUTHTIME=
otherhttp.favicon.hash:1862800928
otherhtml:"apps/zxtm/login.cgi"
  • Check Audit Logs for newly created 'user1' or 'user2' admin accounts as indicators of exploitation via the publicly available PoC.
  • Detect unauthenticated POST requests to /apps/zxtm/wizard.fcgi with parameters 'create_user=Create' and 'group=admin' — this is the exploit's user-creation step.
  • Detect HTTP 302 responses from /apps/zxtm/login.cgi that set both ZeusTMZAUTH and ZeusTMZAUTHTIME cookies simultaneously — this indicates successful authentication bypass.
  • The exploit uses a multipart/form-data boundary '----WebKitFormBoundarycznFUOqD0Y01A9B5' — this static boundary string in POST requests to /apps/zxtm/login.cgi is a strong PoC indicator.
  • The response body containing 'wizardtitletext' in the wizard.fcgi response confirms the admin user creation endpoint is accessible without authentication.
  • Use Shodan/FOFA queries for favicon hash 1862800928 or HTML string 'apps/zxtm/login.cgi' to identify internet-exposed Ivanti vTM management interfaces.
  • ·Exploitation requires access to the vTM management interface. Binding the management interface to an internal network or private IP address blocks the attack vector.
  • ·A FOFA search identified more than 400 results tied to over 200 unique IPs with potentially internet-exposed management interfaces, significantly widening the attack surface.
  • ·The Metasploit module confirms affected versions as 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, and 22.2 — only 22.2R1 and 22.7R2 are patched at initial release.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.