CVE-2024-7593 Detection: A Critical Vulnerability in Ivanti Virtual Traffic Manager Enables Unauthorized Admin Access
Table of contents:
A new critical vulnerability in Ivanti Virtual Traffic Manager (vTM) instances comes into the spotlight. Tracked as CVE-2024-7593, the critical authentication bypass vulnerability enables remote attackers to create rogue admin accounts. The public availability of the PoC exploit code increases the risk of CVE-2024-7593 exploitation in real-world attacks.
Detect CVE-2024-7593 Exploitation Attempts
In 2023, over 30,000 new vulnerabilities were uncovered. This figure skyrocketed by 41% in 2024, underscoring the critical importance of proactive vulnerability detection as a leading cybersecurity priority. The latest vulnerability in spotlight which causes a significant menace for cyber defenders is a critical authentication bypass in Ivanti’s vTM (CVE-2024-7593) that enables remote attackers to create admin accounts to proceed with malicious activity.
To identify possible CVE-2024-7593 exploitation attempts on time, security professionals might rely on SOC Prime Platform for collective cyber defense aggregating curated detection content accompanied with advanced threat detection and hunting solutions.
Possible Ivanti Authentication Bypass (CVE-2024-7593) Exploitation Attempt (via webserver)
This rule by our keen Threat Bounty developer Wirapong Petshagun detects URL patterns used to exploit authentication bypass vulnerability in Ivanti (CVE-2024-7593). The rule is compatible with 21 SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK framework addressing Initial Access tactics with Exploit Public-Facing Applications (T1190) as a corresponding technique.
Eager to join SOC Prime’s crowdsourcing initiative? Skilled cybersecurity practitioners striving to enrich their Detection Engineering and Threat Hunting skills can join the ranks of our Threat Bounty Program to make their own contribution to collective industry expertise. Participation in the Program enables detection content authors to monetize their professional skills while helping build a safer digital future.
Security professionals looking for more curated detection content addressing vulnerability exploitation attempts might access the relevant detection stack by pressing the Explore Detections button below or simply browsing Threat Detection Marketplace using the “CVE” tag.
CVE-2024-7593 Analysis
Ivanti has recently patched a new critical authentication bypass vulnerability in its vTM appliances. Weaponizing the security flaw identified as CVE-2024-7593, with a CVSS score of 9.8, gives remote attackers the green light to bypass authentication on publicly accessible vTM admin panels.
The flaw affects several vTM versions except for 22.2R1 and 22.7R2. Although there hasn’t been any evidence of the CVE-2024-7593 exploitation in the wild yet, the public release of the PoC code exposes customers leveraging potentially impacted vTM instances to escalating risks.
To minimize the impact, Ivanti strongly recommends urgently upgrading to the latest patched version. As short-term CVE-2024-7593 mitigation measures, the vendor advises restricting admin access to the management interface or limiting access to trusted IP addresses.
Today’s threat landscape demands more advanced ways to thwart emerging threats that are continuously increasing in sophistication. To lower the risks of vulnerability exploitation, top-tier organizations are striving to evolve their security operations at scale. Leveraging SOC Prime’s Attack Detective helps security teams significantly reduce the ever-growing attack surface, elevate threat visibility and address cyber defense blind spots, get access to the prioritized detection stack for high-fidelity alerting, or adopt an automated threat hunting capability.