CVE-2024-24992
Published: 19 April 2024
Summary
CVE-2024-24992 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-24992 is a path traversal vulnerability (CWE-22) in the web component of Ivanti Avalanche versions prior to 6.4.3. The flaw carries a CVSS 3.1 score of 8.8 and permits remote code execution with SYSTEM-level privileges on the affected server.
A remote attacker who already possesses a low-privileged authenticated account can exploit the issue over the network with no user interaction required. Successful traversal allows the attacker to execute arbitrary commands as SYSTEM, resulting in complete loss of confidentiality, integrity, and availability on the target system.
Ivanti’s security advisory for Avalanche 6.4.3 describes the hardening measures and CVE fixes included in that release, indicating that upgrading to version 6.4.3 or later is the primary mitigation. The associated EPSS score has remained steady at 0.6156 since disclosure, reflecting sustained exploitation interest without a pronounced post-publication climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22354
Vulnerability details
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.