Cyber Resilience

CVE-2024-24992

High

Published: 19 April 2024

Published
19 April 2024
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6156 98.4th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24992 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-24992 is a path traversal vulnerability (CWE-22) in the web component of Ivanti Avalanche versions prior to 6.4.3. The flaw carries a CVSS 3.1 score of 8.8 and permits remote code execution with SYSTEM-level privileges on the affected server.

A remote attacker who already possesses a low-privileged authenticated account can exploit the issue over the network with no user interaction required. Successful traversal allows the attacker to execute arbitrary commands as SYSTEM, resulting in complete loss of confidentiality, integrity, and availability on the target system.

Ivanti’s security advisory for Avalanche 6.4.3 describes the hardening measures and CVE fixes included in that release, indicating that upgrading to version 6.4.3 or later is the primary mitigation. The associated EPSS score has remained steady at 0.6156 since disclosure, reflecting sustained exploitation interest without a pronounced post-publication climb.

EU & UK References

Vulnerability details

A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
avalanche
≤ 6.4.3.528

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References