Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Virtual Traffic Manager
APPIvanti22.222.322.522.622.7
CISA KEV — detailsi
- Vendori
- Ivanti ↗
- Producti
- Virtual Traffic Manager
- Added to KEVi
- September 24, 2024
- Remediation deadline (US Federal)i
- October 15, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ivanti Virtual Traffic Manager contains an authentication bypass vulnerability that allows a remote, unauthenticated attacker to create a chosen administrator account.
Related vulnerabilities
OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated att...
RCE poprzez OS Command Injection w Ivanti Sentry (nieuwierzytelniony dostęp root)
Krytyczny code injection w Ivanti Endpoint Manager Mobile (RCE bez uwierzytelnienia)
Code injection w Ivanti EPMM umożliwiający nieuwierzytelniony RCE
Stack-based buffer overflow w Ivanti Connect Secure, Policy Secure i ZTA Gateways umożliwiający RCE