CVE-2024-47007
Published: 08 October 2024
Summary
CVE-2024-47007 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A NULL pointer dereference vulnerability exists in WLAvalancheService.exe within Ivanti Avalanche versions prior to 6.4.5. The flaw, tracked as CVE-2024-47007 and assigned CWE-476, carries a CVSS 3.1 score of 7.5 reflecting network-accessible attack complexity that requires no authentication or user interaction and results in high availability impact.
An unauthenticated remote attacker can send crafted requests to the affected service over the network, triggering the NULL pointer dereference and causing the service to crash, thereby denying service to legitimate users of the Avalanche management platform.
The official Ivanti security advisory for Avalanche 6.4.5 directs customers to apply the version 6.4.5 update, which resolves the NULL pointer dereference. The associated EPSS score remains low, with a recorded peak of only 0.0505.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42224
Vulnerability details
A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.