CVE-2024-7593
published 2024-08-13CVE-2024-7593: Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-10-15
Exploited in the wild
EPSS
99.99%
100.0th percentile
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | virtual_traffic_manager | — | — |
| ivanti | virtual_traffic_manager | — | — |
| ivanti | virtual_traffic_manager | — | — |
| ivanti | virtual_traffic_manager | — | — |
| ivanti | virtual_traffic_manager | — | — |
| ivanti | virtual_traffic_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/apps/zxtm/wizard.fcgi?error=1§ion=Access+Management%3ALocalUsers
url/apps/zxtm/login.cgi
path/apps/zxtm/
cookieZeusTMZAUTH=
cookieZeusTMZAUTHTIME=
otherhttp.favicon.hash:1862800928
otherhtml:"apps/zxtm/login.cgi"
- →Check Audit Logs for newly created 'user1' or 'user2' admin accounts as indicators of exploitation via the publicly available PoC. ↗
- →Detect unauthenticated POST requests to /apps/zxtm/wizard.fcgi with parameters 'create_user=Create' and 'group=admin' — this is the exploit's user-creation step.
- →Detect HTTP 302 responses from /apps/zxtm/login.cgi that set both ZeusTMZAUTH and ZeusTMZAUTHTIME cookies simultaneously — this indicates successful authentication bypass.
- →The exploit uses a multipart/form-data boundary '----WebKitFormBoundarycznFUOqD0Y01A9B5' — this static boundary string in POST requests to /apps/zxtm/login.cgi is a strong PoC indicator.
- →The response body containing 'wizardtitletext' in the wizard.fcgi response confirms the admin user creation endpoint is accessible without authentication.
- →Use Shodan/FOFA queries for favicon hash 1862800928 or HTML string 'apps/zxtm/login.cgi' to identify internet-exposed Ivanti vTM management interfaces.
- ·Exploitation requires access to the vTM management interface. Binding the management interface to an internal network or private IP address blocks the attack vector. ↗
- ·A FOFA search identified more than 400 results tied to over 200 unique IPs with potentially internet-exposed management interfaces, significantly widening the attack surface. ↗
- ·The Metasploit module confirms affected versions as 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, and 22.2 — only 22.2R1 and 22.7R2 are patched at initial release. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8j5m-w2v7-mx38: Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22
ghsa_unreviewed·2024-08-13
CVE-2024-7593 [CRITICAL] CWE-287 GHSA-8j5m-w2v7-mx38: Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
VulnCheck
Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-7593 [CRITICAL] CWE-287 Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.
Affected: Ivanti Virtual Traffic Manager
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2024-7593; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-06&host_type=src&vulnerability=cve-2024-7593; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-14&host_type=src&vulnerability=cve-2024-7593; https://dashboard.shadowserver.org/stat
CISA
Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
cisa·2024-09-24·CVSS 9.8
CVE-2024-7593 [CRITICAL] CWE-287 Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
Vulnerability: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
Affected: Ivanti Virtual Traffic Manager
Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593 ; https://nvd.nist.gov/vuln/detail/CVE-2024-7593
Remediation Due Date: 2024-10-15
Ivanti
Ivanti Virtual Traffic Manager Authentication Bypass
vendor_ivanti·2024-09-24·CVSS 9.8
CVE-2024-7593 [CRITICAL] Ivanti Virtual Traffic Manager Authentication Bypass
Ivanti Virtual Traffic Manager Authentication Bypass
Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.
CVE IDs: CVE-2024-7593
Affected products: Virtual Traffic Manager
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2024-10-15
Suricata
ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager (vTM) Authentication Bypass (CVE-2024-7593)
suricata·2024-09-25·CVSS 9.8
CVE-2024-7593 [CRITICAL] ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager (vTM) Authentication Bypass (CVE-2024-7593)
ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager (vTM) Authentication Bypass (CVE-2024-7593)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager (vTM) Authentication Bypass (CVE-2024-7593)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/apps/zxtm/wizard.fcgi?"; fast_pattern; content:"error|3d|1"; content:"section|3d|Access|20|Management|3a|LocalUsers"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"_form_submitted|3d|form"; content:"create_user|3d|Create"; content:"group|3d|admin"; content:"newusername|3d|"; content:"password1|3d|"; reference:url,forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593; reference:cve,2024-7593
Suricata
ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager Authentication Bypass Attempt (CVE-2024-7593)
suricata·2024-09-03·CVSS 9.8
CVE-2024-7593 [CRITICAL] ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager Authentication Bypass Attempt (CVE-2024-7593)
ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager Authentication Bypass Attempt (CVE-2024-7593)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager Authentication Bypass Attempt (CVE-2024-7593)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/apps/zxtm/wizard.fcgi|3f|"; fast_pattern; startswith; content:"error=1"; content:"section=Access+Management:LocalUsers"; http.request_body; content:"_form_submitted=form|26|"; startswith; content:"create_user=Create"; content:"group=admin"; content:"newusername="; content:"password1="; content:"password2="; reference:url,www.exploit-db.com/exploits/52062; reference:url,forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=
Nuclei
Ivanti vTM - Authentication Bypass
nuclei·CVSS 9.8
CVE-2024-7593 [CRITICAL] Ivanti vTM - Authentication Bypass
Ivanti vTM - Authentication Bypass
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
Template:
id: CVE-2024-7593
info:
name: Ivanti vTM - Authentication Bypass
author: gy741
severity: critical
description: |
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
impact: |
Unauthenticated attackers can bypass authentication to access the admin panel, gaining full administrative control of the Ivanti vTM system and potentially modifying traffic management configurations.
remediation: |
Upgrade to the latest vers
Metasploit
Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)
metasploit·CVSS 9.8
CVE-2024-7593 [CRITICAL] Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)
Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)
This module exploits an access control issue in Ivanti Virtual Traffic Manager (vTM), by adding a new administrative user to the web interface of the application. Affected versions include 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, 22.2.
arXiv
TELSAFE: Security Gap Quantitative Risk Assessment Framework
arxiv_fulltext·2025-07-09
TELSAFE: Security Gap Quantitative Risk Assessment Framework
TELSAFE: Security Gap Quantitative Risk Assessment Framework
%Based on Event Tree Modeling
Sarah Ali Siddiqui1E-mail:[email protected], Chandra Thapa1, Derui Wang1, Rayne Holland1, Wei Shao1, Seyit Camtepe1, Hajime Suzuki1
and Rajiv Shah2
1CSIRO Data61, Sydney, Australia
2MDR Security, Canberra, Australia
## Abstract
Gaps between established security standards and their practical implementation have the potential to introduce vulnerabilities
, possibly exposing them to security risks. To effectively address and mitigate these security and compliance challenges, security risk management strategies are essential.
However, it must adhere to well-established strategies and industry standards to ensure consistency, reliability, and compatibility both within and across organiza
Bleepingcomputer
Critical Ivanti vTM auth bypass bug now exploited in attacks
blogs_bleepingcomputer·2024-09-24·CVSS 9.8
CVE-2024-7593 [CRITICAL] Critical Ivanti vTM auth bypass bug now exploited in attacks
## Critical Ivanti vTM auth bypass bug now exploited in attacks
## Sergiu Gatlan
CISA has tagged another critical Ivanti security vulnerability, which can let threat actors create rogue admin users on vulnerable Virtual Traffic Manager (vTM) appliances, as actively exploited in attacks.
Tracked as CVE-2024-7593 , this auth bypass flaw is caused by an incorrect implementation of an authentication algorithm that lets remote unauthenticated attackers circumvent authentication on Internet-exposed vTM admin panels.
Ivanti vTM is a software-based application delivery controller (ADC) that provides load balancing and traffic management for hosting business-critical services.
"Successful exploitation could lead to authentication bypass and creation of an administrator user," Ivanti warned whe
Tenable
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
blogs_tenable·2024-08-14·CVSS 9.8
[CRITICAL] CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Ivanti warns of critical vTM auth bypass with public exploit
blogs_bleepingcomputer·2024-08-13·CVSS 9.8
CVE-2024-7593 [CRITICAL] Ivanti warns of critical vTM auth bypass with public exploit
## Ivanti warns of critical vTM auth bypass with public exploit
## Sergiu Gatlan
Today, Ivanti urged customers to patch a critical authentication bypass vulnerability impacting Virtual Traffic Manager (vTM) appliances that can let attackers create rogue administrator accounts.
Ivanti vTM is a software-based application delivery controller (ADC) that provides app-centric traffic management and load balancing for hosting business-critical services.
Tracked as CVE-2024-7593, this auth bypass vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels.
"Ivanti released updates for Ivanti Virtual Traffic Manager (vTM) which addressed a critical vulnerability. S
Greynoiseio
NoiseLetter August 2024
blogs_greynoiseio
NoiseLetter August 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-08-13
Published
2024-09-24
Added to CISA KEV
Exploited in the wild