The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added critical security flaw affecting known vulnerabilities in Ivanti Virtual Traffic Manager (vTM) (KEV) catalog based on evidence of active operation.
The vulnerability in question CVE-2024-7593 (CVSS score: 9.8), which could be used by a remote, unauthenticated attacker to bypass admin panel authentication and create fake admin users.
“Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that could allow a remote, unauthenticated attacker to create a chosen administrator account,” CISA said.
The issue was fixed by Ivanti in vTM 22.2R1, 22.3R3, 22.5R2, 22.6R2 and 22.7R2 in August 2024.
The agency hasn’t revealed any specifics about how the flaw is used in actual attacks or who might be behind it, but Ivanti previously noted that a proof-of-concept (PoC) is publicly available.
In light of the latest developments, Federal Civil Enforcement Agency (FCEB) agencies are required to fix the identified flaw by October 15, 2024 to protect their networks.
Several vulnerabilities affecting Ivanti devices have been actively exploited in the wild in recent months, including CVE-2024-8190 and CVE-2024-8963.
The software vendor acknowledged that it is aware of a “limited number of customers” experiencing both issues.
Data shared by Censys shows that as of September 23, 2024, there are 2,017 open Ivanti Cloud Service Appliance (CSA) instances online, most of which are located in the US. It is currently unknown how many of them are actually susceptible.
