Cyber Resilience

CVE-2024-24996

Critical

Published: 19 April 2024

Published
19 April 2024
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3138 96.9th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-24996 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Ivanti Avalanche. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A heap overflow vulnerability tracked as CVE-2024-24996 affects the WLInfoRailService component of Ivanti Avalanche versions prior to 6.4.3. The flaw, assigned CWE-122, carries a CVSS 3.1 base score of 9.8 and permits unauthenticated remote code execution.

An attacker with network access can send crafted input to the service without authentication or user interaction, resulting in arbitrary command execution and full compromise of confidentiality, integrity, and availability on the affected system.

Ivanti’s security hardening bulletin for Avalanche 6.4.3 states that the release resolves this issue along with other CVEs and recommends customers upgrade to the fixed version.

EPSS for the CVE reached a peak of 0.4120 after disclosure, indicating measurable post-release exploitation interest that later moderated to the current value of 0.3138.

EU & UK References

Vulnerability details

A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
avalanche
≤ 6.4.3.528

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References