CVE-2024-24997
Published: 19 April 2024
Summary
CVE-2024-24997 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Path Traversal vulnerability tracked as CVE-2024-24997 affects the web component of Ivanti Avalanche versions prior to 6.4.3. The flaw, classified under CWE-22, carries a CVSS 3.1 score of 8.8 and permits unauthorized access to files outside intended directories.
A remote authenticated attacker with low privileges can exploit the issue over the network without user interaction to execute arbitrary commands with SYSTEM-level privileges on the affected server. This grants full control over the target system, including the ability to read, modify, or delete sensitive data and install persistent access mechanisms.
Ivanti's security advisory for Avalanche 6.4.3 states that the release incorporates hardening measures and patches addressing this CVE along with related issues, recommending that customers upgrade promptly to the fixed version.
The associated EPSS score has remained flat at 0.0678 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22359
Vulnerability details
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.