Cyber Resilience

CVE-2024-22061

CriticalRCE

Published: 19 April 2024

Published
19 April 2024
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0499 89.9th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22061 is a critical-severity Command Injection (CWE-77) vulnerability in Ivanti Avalanche. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A Heap Overflow vulnerability exists in the WLInfoRailService component of Ivanti Avalanche versions prior to 6.4.3. The flaw, tracked as CVE-2024-22061 with a CVSS score of 9.8 and associated with CWE-77, permits remote unauthenticated attackers to execute arbitrary commands on affected systems.

An attacker with network access can exploit the issue without authentication or user interaction, achieving full compromise through command execution that impacts confidentiality, integrity, and availability. The attack vector is rated as network-accessible with low complexity under the CVSS metrics.

The vendor advisory for Avalanche 6.4.3 details security hardening measures and addresses this CVE along with related issues, indicating that upgrading to version 6.4.3 mitigates the vulnerability. The associated EPSS score reached a peak of 0.0919 before receding to the current value of 0.0499.

EU & UK References

Vulnerability details

A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
avalanche
≤ 6.4.3.528

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References