Analysis Summary

Based on proof of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a major security issue affecting Ivanti Virtual Traffic Manager (vTM) to its list of Known Exploited Vulnerabilities (KEV).

This vulnerability, identified as CVE-2024-7593 (CVSS score: 9.8), might be used by a remote, unauthenticated attacker to get around the admin panel's authentication process and establish rogue administrator users. CISA said that an authentication bypass vulnerability in Ivanti Virtual Traffic Manager enables a remote, unauthenticated attacker to establish a selected administrator account.

In August 2024, Ivanti released a patch for vTM versions 22.2R1, 22.3R3, 22.5R2, 22.6R2, and 22.7R2. A proof-of-concept (PoC) is publicly available, however, the agency withheld details regarding how the vulnerability is being weaponized in actual attacks and who might be responsible. Ivanti had already made this observation. Federal Civilian Executive Branch (FCEB) agencies must patch the found vulnerability by October 15, 2024, to safeguard their networks, in light of the most recent development.

Some Ivanti device vulnerabilities, such as CVE-2024-8190 and CVE-2024-8963, have been actively exploited in the wild in recent months. The supplier of software services admitted that it is aware of a small group of clients who have been impacted by both problems. As of September 23, 2024, there were 2,017 exposed Ivanti Cloud Service Appliance (CSA) instances online, the majority of which were based in the United States. Exactly how many individuals are susceptible is unknown at this time.

Impact

• Unauthorized Remote Access
• Security Bypass

Indicators of Compromise

CVE

• CVE-2024-7593

Affected Vendors

Remediation

• Refer to the Ivanti Website for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.