Skip to main content

Ivanti vTM CVE-2024-7593

CRITICAL
Improper Authentication (CWE-287)
2024-08-13 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Added to CISA KEV
May 14, 2026 - 20:17 CISA

DescriptionCVE.org

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

AnalysisAI

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gain administrative access to the appliance due to a flawed authentication algorithm implementation. The flaw is confirmed actively exploited (CISA KEV) with an EPSS score of 94.44% (100th percentile), placing it among the highest-risk vulnerabilities currently tracked. All vTM releases other than 22.2R1 and 22.7R2 are affected.

Technical ContextAI

Ivanti Virtual Traffic Manager is a software-based application delivery controller (ADC) and load balancer historically known as Pulse Secure Virtual Traffic Manager and originally Brocade/Riverbed Stingray. The admin panel exposes a web-based management interface that should require strong authentication. CWE-287 (Improper Authentication) here manifests as an incorrect implementation of the authentication algorithm itself - meaning the verification logic can be coerced into accepting requests that should be rejected, rather than a missing check or credential leak. Based on the CPE list, affected builds include 22.2, 22.3, 22.3R2, 22.5R1, 22.6R1, and 22.7R1; the fixed builds are 22.2R1 and 22.7R2 per the description.

RemediationAI

Vendor-released patch: upgrade Ivanti vTM to 22.2R1, 22.7R2, or later fixed builds (22.3R3, 22.5R2, 22.6R2 per Ivanti's advisory family) as the primary fix. Until patching is complete, the most effective compensating control is to restrict access to the admin interface by binding management to an internal-only interface and using the built-in Management IP Address ACL to deny untrusted networks; this materially reduces exposure but requires that operators retain a trusted path for legitimate administration. Network-layer controls (firewall rules, VPN-only access, or jump host enforcement) on the admin port should also be applied, with the trade-off that any misconfiguration of these controls can lock out legitimate administrators. Review admin-account activity, session logs, and any unexpected administrative changes for indicators of prior compromise, since the flaw has been actively exploited.

More in Ivanti

View all
CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

CVE-2026-6973 HIGH POC
7.2 May 07

Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary

Share

CVE-2024-7593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy