Splunk

Ivanti VTM New Account Creation

Last updated 2 days ago on 2026-07-17

About

This analytic detects potential exploitation of the Ivanti Virtual Traffic Manager (vTM) authentication bypass vulnerability (CVE-2024-7593) to create new administrator accounts. The vulnerability allows unauthenticated remote attackers to bypass authentication on the admin panel and create new admin users. This detection looks for suspicious new account creation events in the Ivanti vTM audit logs that lack expected authentication details, which may indicate exploitation attempts.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.ivanti.com/security/security-advisories/ivanti-virtual-traffic-manager-vtm-cve-2024-7593(external, opens in a new tab or window)https://nvd.nist.gov/vuln/detail/CVE-2024-7593(external, opens in a new tab or window)
False Positives
Legitimate new account creation by authorized administrators will generate similar log entries. However, those should include proper authentication details. Verify any detected events against expected administrative activities and authorized user lists.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`ivanti_vtm_audit` OPERATION="adduser" MODGROUP="admin" IP="!!ABSENT!!" | stats count min(_time) as firstTime max(_time) as lastTime BY IP, MODUSER, OPERATION, MODGROUP, AUTH | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_vtm_new_account_creation_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).