Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in Ivanti Avalanche
Alerts

Critical Vulnerabilities in Ivanti Avalanche

17 April 2024

Ivanti has released security updates addressing two critical vulnerabilities (CVE-2024-24996 and CVE-2024-29204) in their Avalanche mobile device management (MDM) products that can be exploited for remote command execution.

The vulnerabilities are:

  • CVE-2024-24996: A heap overflow vulnerability in the WLInfoRailService component of Ivanti Avalanche that allows an unauthenticated remote attacker to execute arbitrary commands.

  • CVE-2024-29204: A heap overflow vulnerability in the WLAvalancheService component of Ivanti Avalanche that allows an unauthenticated remote attacker to execute arbitrary commands. 

These vulnerabilities impact Avalanche versions 6.4.2 and below.

Users and administrators of the affected products are advised to update to the latest versions immediately.

More information is available here:

https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US

https://www.ivanti.com/blog/security-update-for-ivanti-avalanche

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-flaws-in-its-avalanche-mdm-solution/

Back to top