Cyber Resilience

CVE-2024-7593

CriticalCISA KEVActive ExploitationEUVD ExploitedUpdated

Published: 13 August 2024

Published
13 August 2024
Modified
05 June 2026
KEV Added
24 September 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7593 is a critical-severity Improper Authentication (CWE-287) vulnerability in Ivanti Virtual Traffic Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-7593 is an authentication bypass vulnerability caused by an incorrect implementation of an authentication algorithm, tracked under CWE-287 and CWE-303. It affects Ivanti Virtual Traffic Manager (vTM) in versions other than the explicitly excluded releases 22.2R1 and 22.7R2, exposing the administrative interface to remote attack.

A remote unauthenticated attacker can exploit the flaw over the network without user interaction or credentials to bypass authentication entirely on the admin panel. Successful exploitation grants full administrative access, enabling the attacker to achieve complete confidentiality, integrity, and availability impacts as reflected in the CVSS 9.8 base score.

Ivanti’s security advisory directs customers to upgrade to the fixed releases 22.2R1 or 22.7R2. The vulnerability also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score remains extremely high, with a current value of 0.9444 and a recorded peak of 0.9732.

EU & UK References

Vulnerability details

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.

CWE(s)
KEV Date Added
24 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
virtual traffic manager
22.2, 22.3, 22.5, 22.6, 22.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and access decisions on the admin panel, blocking the algorithm bypass that allows unauthenticated remote access.

prevent

Requires timely remediation of the identified authentication flaw (CWE-287/303) via the vendor-supplied patches for versions prior to 22.2R1/22.7R2.

prevent

Mandates proper identification and authentication of users before granting administrative access, directly addressing the broken authentication mechanism.

References