CVE-2024-24996
Published: 19 April 2024
Summary
CVE-2024-24996 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Ivanti Avalanche. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A heap overflow vulnerability tracked as CVE-2024-24996 affects the WLInfoRailService component of Ivanti Avalanche versions prior to 6.4.3. The flaw, assigned CWE-122, carries a CVSS 3.1 base score of 9.8 and permits unauthenticated remote code execution.
An attacker with network access can send crafted input to the service without authentication or user interaction, resulting in arbitrary command execution and full compromise of confidentiality, integrity, and availability on the affected system.
Ivanti’s security hardening bulletin for Avalanche 6.4.3 states that the release resolves this issue along with other CVEs and recommends customers upgrade to the fixed version.
EPSS for the CVE reached a peak of 0.4120 after disclosure, indicating measurable post-release exploitation interest that later moderated to the current value of 0.3138.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22358
Vulnerability details
A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.