Ivanti has patched another major vulnerability, this time involving the Virtual Traffic Manager (vTM).

Ivanti vTM is an Application Delivery Controller (ADC) within the Virtual Application Delivery Controller (vADC) product line, focused on application traffic management and load balancing.

The problem with this, according to a recently published security advicehas to do with a bad implementation of an authentication algorithm. External, unauthorized entities could take advantage of the bad implementation to bypass authentication entirely, gain access to the vTM admin panel, and create an administrator account for their own amusement.

“This opens the door to a variety of malicious activities, such as data theft, service disruptions, and compromise of sensitive systems,” explains Patrick Tiquet, vice president of security and architecture at Keeper Security. “Furthermore, the ability to bypass authentication can facilitate further exploitation of the network, amplifying the impact of the original breach.”

Such risks have led to this authentication bypass bug, labeled CVE-2024-7593, being given a critical score of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) rating scale.

Ivanti has not observed any customers being attacked via CVE-2024-7593, but has reported that a proof-of-concept (PoC) exploit is publicly available.

Dark Reading discovered a vADC exploit in the Exploit Database (Exploit-DB), uploaded on August 4 by the user “ohnoisploited”. In response to an inquiry, Ivanti stated that this was not the PoC referenced in the advisory.

Ivanti fix already for all these bugs

No other organization has had as many public safety issues this year as Ivanti.

It started with a few major zero-day vulnerabilitiesthen came moreAnd moreAnd even more. Enough hackers have taken advantage — even, in some cases, after victims have already been patched — and many organizations are disrupted along the road.

As in most of these cases, dutiful patching is the best remedy. vTM versions 22.2R1 (dated March 26) and 22.7R2 (May 20) are hardened against CVE-2024-7593, and more patched versions (22.3R3, 22.5R2, and 22.6R2) are expected to roll out on Monday. Patches can be found at Ivanti Standard Portal.

In addition to patching, organizations can adjust their vTM settings to expose their management interface only to internal, trusted IP addresses. “By not exposing their management interface to a public IP address, customers have significantly reduced their attack surface,” an Ivanti spokesperson wrote in an email. “It is an industry best practice and is recommended by Ivanti in its network configuration guidelines to restrict access to the management interface.”