CVE-2024-13180

High

Published: 14 January 2025

Published

14 January 2025

Modified

16 January 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.3851 97.3th percentile

Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13180 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through vendor patches directly addresses the path traversal vulnerability as recommended in Ivanti's advisory for Avalanche 6.4.7.

SI-10 Information Input Validation good match

prevent

Information input validation checks file path inputs to block directory traversal sequences, directly preventing exploitation of CWE-22 path traversal.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection monitors and controls network communications to the vulnerable service, limiting remote unauthenticated access and exposure.

NVD Description

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.

Deeper analysisAI

CVE-2024-13180 is a path traversal vulnerability (CWE-22) affecting Ivanti Avalanche versions prior to 6.4.7. It enables a remote unauthenticated attacker to leak sensitive information and represents incomplete fixes from the related CVE-2024-47011. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges, user interaction, or scope changes.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity to read arbitrary files on the affected system, potentially exposing sensitive data such as configuration files or other restricted information.

Ivanti's security advisory for Avalanche 6.4.7 addresses this and multiple other CVEs, recommending an update to version 6.4.7 or later as the primary mitigation. Additional details are available in the official advisory at https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs.

Details

CWE(s): CWE-22

Affected Products

ivanti

avalanche

≤ 6.4.7

CVEs Like This One

CVE-2024-13181Same product: Ivanti Avalanche

CVE-2024-13179Same product: Ivanti Avalanche

CVE-2023-38036Same product: Ivanti Avalanche

CVE-2025-9713Same vendor: Ivanti

CVE-2024-13158Same vendor: Ivanti

CVE-2024-10811Same vendor: Ivanti

CVE-2026-5786Same vendor: Ivanti

CVE-2025-13659Same vendor: Ivanti

CVE-2025-22467Same vendor: Ivanti

CVE-2025-0283Same vendor: Ivanti

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75