CVE-2024-13181: 
Ivanti Avalanche vulnerability analysis and mitigation

A path traversal vulnerability has been identified in Ivanti Avalanche versions prior to 6.4.7, tracked as CVE-2024-13181. This vulnerability allows remote unauthenticated attackers to bypass authentication mechanisms. The issue was discovered as an incomplete fix for a previous vulnerability (CVE-2024-47010) and was disclosed on January 14, 2025 (NVD, MITRE).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Ivanti assessed it with a score of 7.3 (HIGH). The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD).

Successful exploitation of this vulnerability could allow an attacker to bypass authentication mechanisms, potentially leading to unauthorized access to the system. Depending on the privileges associated with the compromised access, attackers could install programs, view, change, or delete data. The impact severity varies based on user privilege levels, with administrative users being at higher risk (CIS Advisory).

Organizations are advised to immediately update Ivanti Avalanche to version 6.4.7 after appropriate testing. Additional security measures include implementing the principle of least privilege, managing default accounts, and conducting regular vulnerability assessments (CIS Advisory).