CVE-2024-22061
Published: 19 April 2024
Summary
CVE-2024-22061 is a critical-severity Command Injection (CWE-77) vulnerability in Ivanti Avalanche. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Heap Overflow vulnerability exists in the WLInfoRailService component of Ivanti Avalanche versions prior to 6.4.3. The flaw, tracked as CVE-2024-22061 with a CVSS score of 9.8 and associated with CWE-77, permits remote unauthenticated attackers to execute arbitrary commands on affected systems.
An attacker with network access can exploit the issue without authentication or user interaction, achieving full compromise through command execution that impacts confidentiality, integrity, and availability. The attack vector is rated as network-accessible with low complexity under the CVSS metrics.
The vendor advisory for Avalanche 6.4.3 details security hardening measures and addresses this CVE along with related issues, indicating that upgrading to version 6.4.3 mitigates the vulnerability. The associated EPSS score reached a peak of 0.0919 before receding to the current value of 0.0499.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19659
Vulnerability details
A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.