CVE-2024-13180
Published: 14 January 2025
Summary
CVE-2024-13180 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13180 is a path traversal vulnerability, tracked as CWE-22, that affects Ivanti Avalanche prior to version 6.4.7. The flaw permits disclosure of sensitive information and is described as addressing incomplete remediation from the earlier CVE-2024-47011. It carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and high confidentiality impact without requiring authentication or user interaction.
A remote unauthenticated attacker can exploit the issue over the network to read arbitrary files and thereby leak sensitive data from the affected Avalanche deployment. The attack requires no privileges or user interaction, making it accessible to any party able to reach the service.
The referenced Ivanti security advisory for Avalanche 6.4.7 addresses this and related CVEs through the release of the fixed version. The associated EPSS score has remained in the moderate range with a current value of 0.3612 and a recorded peak of 0.3910.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51402
Vulnerability details
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Ivanti Avalanche server directly enables remote unauthenticated file read (T1190) and arbitrary local file access for data collection (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through vendor patches directly addresses the path traversal vulnerability as recommended in Ivanti's advisory for Avalanche 6.4.7.
Information input validation checks file path inputs to block directory traversal sequences, directly preventing exploitation of CWE-22 path traversal.
Boundary protection monitors and controls network communications to the vulnerable service, limiting remote unauthenticated access and exposure.