CVE-2024-25000
Published: 19 April 2024
Summary
CVE-2024-25000 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 7.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Path Traversal vulnerability tracked as CVE-2024-25000 affects the web component of Ivanti Avalanche versions prior to 6.4.3. The flaw, assigned CWE-22 and carrying a CVSS 3.1 score of 8.8, permits unauthorized access to files outside intended directories through improper input validation.
A remote attacker who already possesses valid credentials can leverage the issue over the network without user interaction to execute arbitrary commands with SYSTEM-level privileges on the affected server, resulting in full confidentiality, integrity, and availability impact.
Ivanti’s security hardening bulletin for Avalanche 6.4.3 states that the release resolves this and related CVEs; administrators are advised to upgrade to version 6.4.3 or later to eliminate the exposure.
EPSS for the CVE remains flat at 0.0902 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-22362
Vulnerability details
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.