CVE-2024-7593

What is Ivanti Virtual Traffic Manager?

Ivanti Virtual Traffic Manager (vTM, formerly Pulse Secure Traffic Manager and before that Riverbed Stingray) is a software-based application delivery controller (ADC) that provides load balancing, traffic management, SSL offloading, and web application acceleration. vTM is deployed as a network intermediary for enterprise applications, meaning it proxies and controls traffic to backend servers. The vTM administrative interface manages load-balancing rules, SSL certificates, and backend server configurations — giving an attacker who gains admin access the ability to redirect traffic, intercept encrypted sessions, or disable application availability.

Overview

CVE-2024-7593 is an authentication bypass vulnerability in Ivanti Virtual Traffic Manager stemming from an incorrect implementation of the authentication algorithm in the administrative interface. The flaw allows a remote unauthenticated attacker to create a new administrator account with a chosen password, gaining full administrative control of the vTM instance. CISA added it to the KEV catalog on September 24, 2024, confirming active exploitation. The vulnerability is part of Ivanti's recurring pattern of critical vulnerabilities in its network access and traffic management products throughout 2024.

Affected Versions

Technical Details

CWE-287 (Improper Authentication). The vTM administrative interface implements an authentication algorithm that contains a logic flaw — under certain conditions, the authentication check can be bypassed or its output manipulated, allowing an unauthenticated attacker to perform actions reserved for authenticated administrators.

The specific bypass permits account creation: by sending a crafted request to the admin interface, an attacker can register a new administrator account with an attacker-chosen username and password. With that account, the attacker has unrestricted administrative access to the vTM instance, including:

• Modifying load-balancing rules to redirect traffic to attacker-controlled servers
• Accessing SSL private keys and certificates managed by the vTM
• Disabling or modifying backend health checks to take applications offline
• Exfiltrating configuration data including backend server addresses and credentials

Discovery

The vulnerability was discovered and reported to Ivanti. The advisory was published August 13, 2024 alongside the fixed releases. The 42-day gap between advisory publication and KEV addition (September 24) indicates exploitation began in the weeks following public disclosure.

Exploitation Context

Active exploitation was confirmed prior to the September 24, 2024 KEV addition. Internet-accessible vTM administrative interfaces were the primary attack targets. Given vTM's role as a traffic intermediary, compromised instances provided attackers with significant leverage over application availability and potentially over encrypted traffic flowing through the load balancer. Ivanti's repeated critical vulnerability disclosures in 2024 across multiple product lines (Connect Secure, Policy Secure, CSA, vTM, and others) led to heightened scrutiny and CISA advisories throughout the year.

Remediation

1. Apply the fixed vTM version for your branch (22.2R1, 22.3R3, 22.5R2, 22.6R2, or 22.7R2 as appropriate).
2. Immediately restrict administrative interface access to trusted management IP ranges; the admin interface must not be internet-accessible.
3. After patching, audit administrator accounts for any unknown accounts created by attackers, and delete them.
4. Rotate SSL private keys and certificates managed by the vTM if exploitation cannot be ruled out.
5. Review vTM access logs and traffic rules for unauthorized modifications to load-balancing configuration.