What is the CVSS score of CVE-2024-7593?

CVE-2024-7593 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.4%.

Which versions of Ivanti vTM are affected by CVE-2024-7593?

Ivanti Virtual Traffic Manager (vTM) is vulnerable to a critical unauthenticated remote authentication bypass that is confirmed actively exploited (CISA KEV), enabling attackers to gain full…. A patch is available.

Is CVE-2024-7593 being actively exploited?

Yes, CVE-2024-7593 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2024-7593?

Within 24 hours: Inventory all vTM deployments and identify affected versions; restrict network access to the admin panel via firewall rules. Within 7 days: Upgrade all affected vTM systems to version 22.2R1 or 22.7R2. Within 30 days: Review audit logs for exploitation indicators; confirm patch deployment across all instances.

Ivanti vTM CVE-2024-7593

CRITICAL

Improper Authentication (CWE-287)

2024-08-13 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Authentication Bypass Ivanti Virtual Traffic Manager

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

May 14, 2026 - 20:17 CISA

DescriptionNVD

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

AnalysisAI

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gain administrative access to the appliance due to a flawed authentication algorithm implementation. The flaw is confirmed actively exploited (CISA KEV) with an EPSS score of 94.44% (100th percentile), placing it among the highest-risk vulnerabilities currently tracked. All vTM releases other than 22.2R1 and 22.7R2 are affected.

Technical ContextAI

Ivanti Virtual Traffic Manager is a software-based application delivery controller (ADC) and load balancer historically known as Pulse Secure Virtual Traffic Manager and originally Brocade/Riverbed Stingray. The admin panel exposes a web-based management interface that should require strong authentication. CWE-287 (Improper Authentication) here manifests as an incorrect implementation of the authentication algorithm itself - meaning the verification logic can be coerced into accepting requests that should be rejected, rather than a missing check or credential leak. Based on the CPE list, affected builds include 22.2, 22.3, 22.3R2, 22.5R1, 22.6R1, and 22.7R1; the fixed builds are 22.2R1 and 22.7R2 per the description.

RemediationAI

Vendor-released patch: upgrade Ivanti vTM to 22.2R1, 22.7R2, or later fixed builds (22.3R3, 22.5R2, 22.6R2 per Ivanti's advisory family) as the primary fix. Until patching is complete, the most effective compensating control is to restrict access to the admin interface by binding management to an internal-only interface and using the built-in Management IP Address ACL to deny untrusted networks; this materially reduces exposure but requires that operators retain a trusted path for legitimate administration. Network-layer controls (firewall rules, VPN-only access, or jump host enforcement) on the admin port should also be applied, with the trade-off that any misconfiguration of these controls can lock out legitimate administrators. Review admin-account activity, session logs, and any unexpected administrative changes for indicators of prior compromise, since the flaw has been actively exploited.