Ivanti urges its Virtual Traffic Manager and Neurons customers to apply the latest updates, which contain necessary patches for critical vulnerabilities.

Ivanti communicates about three vulnerabilities in some of its products. These are a vulnerability in Virtual Traffic Manager (vTM) and Neurons. The three vulnerabilities receive a CVSS score of 8.3 (high) to 9.8 (critical). So the message is to patch.

vTM

Ivanti vTM is a software service for app-centric traffic management to manage the load of business-critical applications, among other things. The vulnerability allows attackers to bypass authentication and grant themselves administrative privileges. Ivanti says there is no indication yet that the vulnerability is being actively exploited, but it advises customers not to wait and take action now.

A patch is available for versions 22.2 and 22.7R1. Those with a different version will have to wait until August 19. In the meantime, Ivanti advises against restricting access to vTM to the internal network or known IP addresses so that unknown users have no chance of contacting them from the outside.

The company also recommends checking the vTM logs for possible suspicious registrations. Have there been any new administrator accounts with usernames recently? User1 or User2then that could be a bad sign.

Neurons

The other two vulnerabilities are found in Ivanti ITSM and Neurons, solutions for (on-prem) IT management. CVE-2024-7570 is rated as a high severity vulnerability, CVE-2024-7569 is rated as “critical”.

These vulnerabilities also bypass built-in authentication by either causing a token to be created or by exposing the OpenID Connect client to debug information. A patch is available.

Ivanti has been in the headlines regularly in recent months due to serious vulnerabilities. A zero-day in the company’s VPN service claimed victims worldwide. The company was criticized for delaying the deployment of patches. The CEO had to issue a public mea culpa and Ivanti promised to “fundamentally change” its security model.