CVE-2024-24996, CVE-2024-29204 Ivanti Avalanche Buffer Overflow Vulnerabilities

This advisory is for organizations that use Ivanti Avalanche as part of their Mobile Device Management (MDM) solution.  If your organization does not use this platform, this notification may be discarded. 



Ivanti has released security updates to address multiple vulnerabilities in Avalanche including the below critical vulnerabilities which could allow an unauthenticated, remote attacker to perform heap buffer overflows on vulnerable platforms and execute arbitrary commands without requiring user interaction.


CVE-2024-24996 – A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. 

                CVSSv3: 9.8

CVE-2024-29204 - A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands 

               CVSSv3: 9.8


Affected Platforms

All versions of Avalanche prior to 6.4.3 are susceptible to this vulnerability.



Update to version 6.4.3:


Additional Resources