[2025.03 Vulnerability Report] Ivanti vTM Authentication Bypass

The vulnerability is an authentication bypass vulnerability in IvantivTM, which allows an attacker to create an arbitrary administrator account by bypassing access control to the loadable wizard.cgi for all sections within the web interface.

The vulnerability has been patched in IvantivTM versions 22.2R1, 22.7R2, and others, and AIWAF responds by adding the 2235: Ivanti vTM Authentication Bypass pattern to the February 2025 pattern update and continues to monitor related vulnerabilities.

1. Overview

Ivanti Virtual Traffic Manager (vTM) is a software-based Application Delivery Controller (ADC), and we recently analyzed CVE-2024-7593, an authentication bypass vulnerability discovered in the platform.

Source : https://thehackernews.com/2024/10/ivanti-endpoint-manager-flaw-actively.html

2. Attack Type

CVE-2024-7593 is an authentication bypass vulnerability in Ivanti vTM, where a flaw in the product's authentication algorithm allows an attacker to create an arbitrary administrator account by bypassing access control to wizard.cgi, which allows loading of all sections within the web interface.

An attacker can bypass access control to wizard.cgi by setting the value of the error parameter to 1 among the parameters of a request sent to the affected endpoint to bypass access control to wizard.cgi.

The section parameter is then used to retrieve the section for account creation, and the request is then sent with the following in the request's Body: create_user=Create, which means it is a request to create an administrator account, and create_form_submitted=form settings and administrator account creation information to avoid being caught by CSRF prevention measures.

An attack that bypasses access controls to create an administrator account Request:

POST /apps/zxtm/wizard.fcgi?error=1&section=Access Management:LocalUsers HTTP/1.1
Content-Length: 108
Content-Type: application/x-www-form-urlencoded
Host: www.test.com
User-Agent: HTTPie
​
_form%2Bsubmitted=form&create_user=Create&group=admin&newusername=attacker&password1=hacker&password2=hacker

3. Response

Ivanti vTM has released a patch for CVE-2024-7593, so users of that product should respond by patching to the specific version or higher for each version as shown in the photo below, and our AIWAF product responds with pattern 2235: Ivanti vTM Authentication Bypass, which was added in the February 2025 pattern update.

Source : https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593

4. Conclusion

Ivanti vTM is primarily used by large enterprises with complex IT environments, and because the vulnerability was identified with a CVSS score of a whopping 9.8, CISA quickly placed the vulnerability on its KEV, which is an 'urgent patch list'.

Additionally, according to fofa.info, one of the OSINT services, there were more than 260 publicly available vTM systems as of March 2025, meaning that these products could be targeted for the CVE-2024-7593 vulnerability and should be patched to the latest version as soon as possible.

Source : https://en.fofa.info/result?qbase64=YXBwPSJWaXJ0dWFsLVRyYWZmaWMtTWFuYWdlciI%3D

Our AIWAF product has developed patterns to respond to vulnerabilities in Ivanti products, and we will continue to respond quickly to related vulnerabilities as they are discovered.

5. References

• https://nvd.nist.gov/vuln/detail/cve-2024-7593
• https://socradar.io/critical-ivanti-vtm-vulnerability-exploited-cve-2024-7593-pgadmin-flaw-could-expose-data-cve-2024-9014/