Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-13180

CVE-2024-13180: Ivanti Avalanche Path Traversal Flaw

CVE-2024-13180 is a path traversal vulnerability in Ivanti Avalanche that allows remote unauthenticated attackers to leak sensitive information. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-13180 Overview

CVE-2024-13180 is a path traversal vulnerability in Ivanti Avalanche before version 6.4.7. A remote unauthenticated attacker can exploit the flaw to read sensitive files outside the intended directory and leak confidential information. The issue addresses incomplete fixes from CVE-2024-47011, meaning prior remediation attempts did not fully close the traversal path. The weakness maps to CWE-22, Improper Limitation of a Pathname to a Restricted Directory.

Critical Impact

Unauthenticated remote attackers can traverse directories on vulnerable Ivanti Avalanche servers and exfiltrate sensitive files without credentials or user interaction.

Affected Products

  • Ivanti Avalanche versions prior to 6.4.7
  • Ivanti Avalanche mobile device management server components
  • Deployments that previously applied the CVE-2024-47011 fix but remain on a version below 6.4.7

Discovery Timeline

  • 2025-01-14 - CVE-2024-13180 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-13180

Vulnerability Analysis

Ivanti Avalanche is an enterprise mobility management platform used to provision and manage rugged mobile devices. The vulnerability resides in request-handling logic that processes user-supplied file or path parameters. The application fails to fully canonicalize and validate input before resolving it against the server file system. Attackers send crafted HTTP requests containing directory traversal sequences such as ../ to escape the intended working directory and reference arbitrary file paths.

The advisory notes this CVE addresses incomplete remediation of CVE-2024-47011. The earlier patch filtered certain traversal patterns but did not normalize encoded variants or alternate path separators. Exploitation requires no authentication and no user interaction, and the attack is delivered over the network. Successful exploitation discloses file contents that may include configuration data, credentials, certificates, or device inventory information.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. Input validation routines do not reject all traversal sequences, leaving residual paths that resolve outside the application's permitted directory tree after the CVE-2024-47011 fix.

Attack Vector

Attackers reach the vulnerable endpoint over the network without credentials. A single crafted HTTP request containing traversal payloads in a path or filename parameter triggers the disclosure. The vector requires only that the Avalanche service is reachable on its listening port. See the Ivanti Security Advisory for Avalanche 6.4.7 for vendor details.

Detection Methods for CVE-2024-13180

Indicators of Compromise

  • HTTP requests to Avalanche endpoints containing ../, ..\, or URL-encoded variants such as %2e%2e%2f and %2e%2e/ in path or filename parameters.
  • Web server access logs showing responses returning unexpected file content lengths from request paths that reference system or configuration directories.
  • Outbound transfers of sensitive configuration files or credential material shortly after suspicious Avalanche requests.

Detection Strategies

  • Inspect web server and application logs for traversal patterns in query strings and POST bodies targeting Avalanche services.
  • Deploy web application firewall signatures that flag canonicalized traversal attempts against the Avalanche URI namespace.
  • Correlate unauthenticated requests with high-entropy file paths and HTTP 200 responses to identify successful disclosure.

Monitoring Recommendations

  • Alert on access to Avalanche file-serving endpoints from external networks, particularly when no prior authentication event exists for the source.
  • Monitor process and file access on the Avalanche server for reads of sensitive files outside the application's installation directory.
  • Track the Ivanti vendor advisory feed for revised guidance and additional related CVEs disclosed in the 6.4.7 release.

How to Mitigate CVE-2024-13180

Immediate Actions Required

  • Upgrade Ivanti Avalanche to version 6.4.7 or later, which contains the complete fix for this traversal flaw.
  • Restrict network access to Avalanche management interfaces using firewall rules, allowing only trusted administrative networks.
  • Review web server and application logs for traversal patterns dating back to the initial CVE-2024-47011 disclosure to identify prior exploitation attempts.

Patch Information

Ivanti released the fix in Avalanche 6.4.7. Refer to the Ivanti Security Advisory - Multiple CVEs for download links and full patch coverage. The EPSS score of 27.759% (97.8 percentile) indicates elevated exploitation likelihood relative to most CVEs, making prompt patching a priority.

Workarounds

  • Place Avalanche servers behind a reverse proxy or web application firewall configured to block path traversal sequences in URIs and parameters.
  • Limit inbound exposure of Avalanche to VPN or zero-trust network access channels until patching completes.
  • Rotate any credentials, API keys, or certificates stored on or accessible from the Avalanche server if exploitation is suspected.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne