CVE-2024-37399
Published: 14 August 2024
Summary
CVE-2024-37399 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A NULL pointer dereference vulnerability exists in the WLAvalancheService component of Ivanti Avalanche version 6.3.1. The flaw is tracked as CVE-2024-37399 with a CVSS v3.1 base score of 7.5 and is associated with CWE-476. It permits remote attackers to trigger a crash of the affected service, producing a denial-of-service condition without requiring authentication or user interaction.
An unauthenticated remote attacker can send specially crafted network requests to the exposed WLAvalancheService, causing an immediate service crash and loss of availability. No privileges or prior access are needed, and the attack can be repeated to sustain the outage.
The referenced Ivanti security advisory addresses CVE-2024-37399 alongside several related issues and directs customers to upgrade to Avalanche 6.4.4 or later to resolve the NULL pointer dereference.
EPSS for the CVE reached a peak of 0.5082 after disclosure before receding to its current value of 0.4510, indicating measurable post-publication exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36635
Vulnerability details
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.