Critical Flaw in Ivanti Virtual Traffic Manager Could Allow Rogue Admin Access
Aug 14, 2024
Vulnerability / Network Security
Ivanti has rolled out security updates for a critical flaw in Virtual Traffic Manager (vTM) that could be exploited to achieve an authentication bypass and create rogue administrative users. The vulnerability, tracked as CVE-2024-7593, has a CVSS score of 9.8 out of a maximum of 10.0. "Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel," the company said in an advisory. It impacts the following versions of vTM - 22.2 (fixed in version 22.2R1) 22.3 (fixed in version 22.3R3, available week of August 19, 2024) 22.3R2 (fixed in version 22.3R3, available week of August 19, 2024) 22.5R1 (fixed in version 22.5R2, available week of August 19, 2024) 22.6R1 (fixed in version 22.6R2, available week of August 19, 2024) 22.7R1 (fixed in version 22.7R2) As temporary mitigation, Ivanti is recommending customers to limit admin access to th