Security News > 2024 > April > Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204)
The newest version of Ivanti Avalanche - the company's enterprise mobile device management solution - carries fixes for 27 vulnerabilities, two of which are critical and may allow a remote unauthenticated attacker to execute arbitrary commands on the underlying Windows system.
Both critical vulnerabilities are heap overflow bugs: CVE-2024-29204 is in the WLAvalancheService, and CVE-2024-24996 in the WLInfoRailService component of Ivanti Avalanche before v6.4.3, and may allow unauthenticated remote attackers to execute arbitrary commands on vulnerable systems.
Tenable Security, which disclosed CVE-2024-29204 and a proof-of-concept exploit for it to Ivanti, has published additional details about the flaw and how it can be exploited by sending messages to Avalanche's WLAvalancheService.
Ivanti Avalanche v6.4.3 contains fixes for 25 other vulnerabilities affecting those same two components and a web component of the solution.
"These vulnerabilities affect any older versions of Avalanche," Ivanti said.
With vulnerabilities in its enterprise mobile management, VPN, and network access control solutions having been exploited by attackers left and right, Ivanti has had a difficult few months.
News URL
https://www.helpnetsecurity.com/2024/04/18/cve-2024-29204/
Related news
- MITRE warns that funding for critical CVE program expires today (source)
- CISA extends funding to ensure 'no lapse in critical CVE services' (source)
- PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433) (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
- Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324) (source)
- ⚡ Weekly Recap: Critical SAP Exploit, AI-Powered Phishing, Major Breaches, New CVEs & More (source)
- China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide (source)
- Ivanti warns of critical Neurons for ITSM auth bypass flaw (source)
- Ivanti EPMM vulnerabilities exploited in the wild (CVE-2025-4427, CVE-2025-4428) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-04-19 | CVE-2024-29204 | Unspecified vulnerability in Ivanti Avalanche A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | 9.8 |
| 2024-04-19 | CVE-2024-24996 | Unspecified vulnerability in Ivanti Avalanche A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. | 9.8 |