Cyber Resilience

CVE-2024-11772

CriticalRCE

Published: 10 December 2024

Published
10 December 2024
Modified
17 January 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0978 93.1th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11772 is a critical-severity Command Injection (CWE-77) vulnerability in Ivanti Cloud Services Appliance. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-11772 is a command injection vulnerability, tracked under CWE-77, that affects the admin web console of Ivanti Cloud Services Application (CSA) prior to version 5.0.3. The flaw received a CVSS 3.1 base score of 9.1, reflecting network-accessible attack vectors that require administrative credentials but impose no user interaction or scope restrictions beyond the compromised component.

A remote authenticated attacker holding admin privileges can supply crafted input through the web console to execute arbitrary operating-system commands on the underlying host, resulting in full remote code execution with the ability to read, modify, or delete data and potentially pivot further within the environment.

The EPSS score for this CVE rose from low values to a peak of 0.1513 on 2026-03-04 before receding to the current level of 0.0978, indicating a measurable increase in observed exploitation interest after public disclosure. The vendor has published a security advisory covering this issue together with related CVEs at the referenced Ivanti forum URL.

EU & UK References

Vulnerability details

Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
cloud services appliance
≤ 5.0.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References