Cyber Resilience

CVE-2024-13180

High

Published: 14 January 2025

Published
14 January 2025
Modified
16 January 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3612 97.2th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13180 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13180 is a path traversal vulnerability, tracked as CWE-22, that affects Ivanti Avalanche prior to version 6.4.7. The flaw permits disclosure of sensitive information and is described as addressing incomplete remediation from the earlier CVE-2024-47011. It carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and high confidentiality impact without requiring authentication or user interaction.

A remote unauthenticated attacker can exploit the issue over the network to read arbitrary files and thereby leak sensitive data from the affected Avalanche deployment. The attack requires no privileges or user interaction, making it accessible to any party able to reach the service.

The referenced Ivanti security advisory for Avalanche 6.4.7 addresses this and related CVEs through the release of the fixed version. The associated EPSS score has remained in the moderate range with a current value of 0.3612 and a recorded peak of 0.3910.

EU & UK References

Vulnerability details

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing Ivanti Avalanche server directly enables remote unauthenticated file read (T1190) and arbitrary local file access for data collection (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13179Same product: Ivanti Avalanche
CVE-2024-13181Same product: Ivanti Avalanche
CVE-2023-38036Same product: Ivanti Avalanche
CVE-2025-9713Same vendor: Ivanti
CVE-2026-8043Same vendor: Ivanti
CVE-2024-13158Same vendor: Ivanti
CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22

Affected Assets

ivanti
avalanche
≤ 6.4.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor patches directly addresses the path traversal vulnerability as recommended in Ivanti's advisory for Avalanche 6.4.7.

prevent

Information input validation checks file path inputs to block directory traversal sequences, directly preventing exploitation of CWE-22 path traversal.

preventdetect

Boundary protection monitors and controls network communications to the vulnerable service, limiting remote unauthenticated access and exposure.

References