Cyber Resilience

CVE-2024-47007

High

Published: 08 October 2024

Published
08 October 2024
Modified
16 October 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0398 88.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47007 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A NULL pointer dereference vulnerability exists in WLAvalancheService.exe within Ivanti Avalanche versions prior to 6.4.5. The flaw, tracked as CVE-2024-47007 and assigned CWE-476, carries a CVSS 3.1 score of 7.5 reflecting network-accessible attack complexity that requires no authentication or user interaction and results in high availability impact.

An unauthenticated remote attacker can send crafted requests to the affected service over the network, triggering the NULL pointer dereference and causing the service to crash, thereby denying service to legitimate users of the Avalanche management platform.

The official Ivanti security advisory for Avalanche 6.4.5 directs customers to apply the version 6.4.5 update, which resolves the NULL pointer dereference. The associated EPSS score remains low, with a recorded peak of only 0.0505.

EU & UK References

Vulnerability details

A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
avalanche
≤ 6.4.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References