A vulnerability affecting Ivanti’s Virtual Traffic Manager application delivery controller is being exploited in the wild. This is the third flaw for which Ivanti customers have received such a warning within the past two weeks.
The latest is CVE-2024-7593, a critical Virtual Traffic Manager (vTM) authentication bypass vulnerability that allows a remote, unauthenticated attacker to create an administrator account.
Ivanti announced patches for CVE-2024-7593 on August 12 and later the company updated its advisory to inform customers that while it had not been aware of in-the-wild exploitation a proof-of-concept (PoC) exploit had been made available.
At the time of writing, SecurityWeek has not seen any public reports describing attacks involving CVE-2024-7593, but CISA on Tuesday added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
Ivanti has made available not only fixes, but also recommendations for limiting exploitability, as well as indicators of compromise (IoCs). However, it has yet to update the advisory to mention malicious exploitation.
Censys has reported seeing 97 internet-exposed Ivanti vTM instances and ZoomEye has seen 164 this year, a majority in the United States and Japan.
CVE-2024-7593 was added to CISA’s KEV list shortly after CVE-2024-8963 and CVE-2024-8190, which impact Ivanti’s Cloud Services Appliance (CSA) and which have been chained for unauthenticated remote code execution.
It’s not uncommon for threat actors to exploit Ivanti product vulnerabilities. CISA currently has 20 entries in its KEV list for Ivanti vulnerabilities, some of which have been exploited to deliver backdoors and others to hack high-profile organizations such as MITRE and CISA.
Related: MITRE Hack: China-Linked Group Breached Systems in December 2023
Related: Chinese Cyberspies Use New Malware in Ivanti VPN Attacks
Related: Governments Urge Organizations to Hunt for Ivanti VPN Attacks