The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a essential safety flaw impacting Ivanti Digital Visitors Supervisor (vTM) to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The vulnerability in query is CVE-2024-7593 (CVSS rating: 9.8), which may very well be exploited by a distant unauthenticated attacker to bypass the authentication of the admin panel and create rogue administrative customers.
“Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account,” CISA mentioned.
The difficulty was patched by Ivanti in vTM variations 22.2R1, 22.3R3, 22.5R2, 22.6R2, and 22.7R2 in August 2024.
The company didn’t reveal any specifics on how the shortcoming is being weaponized in real-world assaults and who could also be behind them, however Ivanti had beforehand famous {that a} proof-of-concept (PoC) is publicly accessible.
In gentle of the newest improvement, Federal Civilian Govt Department (FCEB) businesses are required to remediate the recognized flaw by October 15, 2024, to safe their networks.
In latest months, a number of flaws affecting Ivanti units have come underneath lively exploitation within the wild, together with CVE-2024-8190 and CVE-2024-8963.
The software program providers supplier acknowledged that it is conscious of a “limited number of customers” who’ve been focused by each the problems.
Knowledge shared by Censys exhibits that there are 2,017 uncovered Ivanti Cloud Service Equipment (CSA) situations on-line as of September 23, 2024, most of that are positioned within the U.S. It is presently not identified what number of of those are literally inclined.
