Ivanti vTM
CVE-2024-7593
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
AnalysisAI
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gain administrative access to the appliance due to a flawed authentication algorithm implementation. The flaw is confirmed actively exploited (CISA KEV) with an EPSS score of 94.44% (100th percentile), placing it among the highest-risk vulnerabilities currently tracked. All vTM releases other than 22.2R1 and 22.7R2 are affected.
Technical ContextAI
Ivanti Virtual Traffic Manager is a software-based application delivery controller (ADC) and load balancer historically known as Pulse Secure Virtual Traffic Manager and originally Brocade/Riverbed Stingray. The admin panel exposes a web-based management interface that should require strong authentication. CWE-287 (Improper Authentication) here manifests as an incorrect implementation of the authentication algorithm itself - meaning the verification logic can be coerced into accepting requests that should be rejected, rather than a missing check or credential leak. Based on the CPE list, affected builds include 22.2, 22.3, 22.3R2, 22.5R1, 22.6R1, and 22.7R1; the fixed builds are 22.2R1 and 22.7R2 per the description.
RemediationAI
Vendor-released patch: upgrade Ivanti vTM to 22.2R1, 22.7R2, or later fixed builds (22.3R3, 22.5R2, 22.6R2 per Ivanti's advisory family) as the primary fix. Until patching is complete, the most effective compensating control is to restrict access to the admin interface by binding management to an internal-only interface and using the built-in Management IP Address ACL to deny untrusted networks; this materially reduces exposure but requires that operators retain a trusted path for legitimate administration. Network-layer controls (firewall rules, VPN-only access, or jump host enforcement) on the admin port should also be applied, with the trade-off that any misconfiguration of these controls can lock out legitimate administrators. Review admin-account activity, session logs, and any unexpected administrative changes for indicators of prior compromise, since the flaw has been actively exploited.
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today