Scan free
HIGHCVE-2024-47010CVSS 7.3

CVE-2024-47010: Path Traversal in Ivanti Avalanche

Platform

ivanti

Component

ivanti-avalanche

Fixed in

6.4.5

AI Confidence: highNVDEPSS 1.3%Reviewed: May 2026
View on NVD
Save

CVE-2024-47010 describes a Path Traversal vulnerability discovered in Ivanti Avalanche prior to version 6.4.5. This flaw allows a remote, unauthenticated attacker to bypass authentication controls, leading to potential unauthorized access. The vulnerability impacts versions of Ivanti Avalanche up to and including 6.4.5. A patch is available, requiring users to upgrade to version 6.4.5.

Impact and Attack Scenarios

The core impact of CVE-2024-47010 lies in its ability to bypass authentication. An attacker can exploit this vulnerability to gain unauthorized access to files and directories on the server hosting Ivanti Avalanche. This could include sensitive configuration data, user credentials, or even application code. Successful exploitation could lead to data breaches, system compromise, and potential lateral movement within the network if the server has access to other resources. The lack of authentication required significantly broadens the attack surface, making it easier for attackers to exploit.

Exploitation Context

CVE-2024-47010 was publicly disclosed on October 8, 2024. As of this date, there is no indication of active exploitation in the wild. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept (PoC) code is not widely available, but the ease of exploitation due to the lack of authentication suggests a potential for rapid development and dissemination of PoCs.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.34% (80% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L7.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentivanti-avalanche
VendorIvanti
Maximum version6.4.5
Fixed in6.4.5

Weakness Classification (CWE)

CWE-22CWE-288

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-47010 is to upgrade Ivanti Avalanche to version 6.4.5 or later, which contains the fix. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing temporary workarounds. Restrict network access to the Ivanti Avalanche server using a Web Application Firewall (WAF) or proxy, blocking requests containing suspicious path traversal patterns (e.g., '../'). Carefully review and restrict file permissions on the server to limit the potential impact of unauthorized access. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.

How to fix

Update Ivanti Avalanche to version 6.4.5 or later. The update addresses the path traversal vulnerability that allows authentication bypass. See the Ivanti security advisory for detailed update instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-47010 — Path Traversal in Ivanti Avalanche?

CVE-2024-47010 is a Path Traversal vulnerability affecting Ivanti Avalanche versions up to 6.4.5, allowing attackers to bypass authentication and access sensitive files.

Am I affected by CVE-2024-47010 in Ivanti Avalanche?

You are affected if you are using Ivanti Avalanche version 6.4.5 or earlier. Check your version and upgrade immediately.

How do I fix CVE-2024-47010 in Ivanti Avalanche?

Upgrade Ivanti Avalanche to version 6.4.5 or later to resolve the vulnerability. Consider temporary WAF rules as an interim measure.

Is CVE-2024-47010 being actively exploited?

As of October 2024, there is no confirmed active exploitation of CVE-2024-47010 in the wild, but the ease of exploitation warrants caution.

Where can I find the official Ivanti advisory for CVE-2024-47010?

Refer to the official Ivanti Security Advisory for detailed information and remediation steps: [https://www.ivanti.com/support/kb/security-advisories/](https://www.ivanti.com/support/kb/security-advisories/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs