CVE-2024-13181

High

Published: 14 January 2025

Published

14 January 2025

Modified

16 January 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0104 77.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13181 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through patching Ivanti Avalanche to version 6.4.7 or later, directly fixing the path traversal authentication bypass.

SI-10 Information Input Validation good match

prevent

Validates file path inputs to block directory traversal sequences that enable unauthorized access to restricted resources.

SC-7 Boundary Protection partial match

prevent

Controls network communications to the Avalanche server, limiting remote unauthenticated access opportunities for path traversal exploits.

NVD Description

Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.

Deeper analysisAI

CVE-2024-13181 is a path traversal vulnerability (CWE-22) in Ivanti Avalanche software versions prior to 6.4.7 that enables authentication bypass (CWE-288). It stems from incomplete fixes applied for the related CVE-2024-47010. The issue allows attackers to manipulate file paths in requests to access restricted resources without valid credentials. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious requests that traverse directories, the attacker bypasses authentication mechanisms, potentially gaining unauthorized access to sensitive files or functionalities within the Avalanche management server. Successful exploitation could result in limited impacts: low-level disclosure of confidential information, minor integrity modifications, or slight denial of service.

Ivanti's security advisory for Avalanche 6.4.7 addresses this and multiple related CVEs, recommending immediate upgrade to version 6.4.7 or later to apply the complete fixes. The advisory is available at https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs. Practitioners should verify installations, monitor for anomalous path traversal attempts in logs, and restrict network exposure of Avalanche servers until patched.

Details

CWE(s): CWE-22 CWE-288

Affected Products

ivanti

avalanche

≤ 6.4.6

CVEs Like This One

CVE-2024-13179Same product: Ivanti Avalanche

CVE-2024-13180Same product: Ivanti Avalanche

CVE-2023-38036Same product: Ivanti Avalanche

CVE-2025-9713Same vendor: Ivanti

CVE-2024-13158Same vendor: Ivanti

CVE-2024-10811Same vendor: Ivanti

CVE-2026-1603Same vendor: Ivanti

CVE-2026-5786Same vendor: Ivanti

CVE-2025-13659Same vendor: Ivanti

CVE-2025-22467Same vendor: Ivanti

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75