Cyber Resilience

CVE-2024-29204

Critical

Published: 19 April 2024

Published
19 April 2024
Modified
06 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1221 94.0th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29204 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Ivanti Avalanche. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-29204 is a heap overflow vulnerability, tracked as CWE-122, in the WLAvalancheService component of Ivanti Avalanche versions prior to 6.4.3. The flaw received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.

A remote unauthenticated attacker can send specially crafted input to the affected service and trigger the overflow, resulting in arbitrary command execution on the target system. Because the service is reachable over the network and requires no credentials, the issue is exploitable by any party with network connectivity to an unpatched Avalanche deployment.

Ivanti’s advisory for Avalanche 6.4.3 states that the release incorporates fixes for this CVE together with additional security hardening changes; administrators are advised to upgrade to 6.4.3 or later. The EPSS score has remained steady at 0.1221 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
avalanche
≤ 6.4.3.528

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References