Ivanti Avalanche : Multiple Vulnerabilities Could Allow Authentication Bypass
Ivanti Avalanche : Multiple Vulnerabilities Could Allow Authentication Bypass
Ivanti has become a major player in enterprise IT management, offering solutions that span from asset management to endpoint security, mobile device management, and beyond. With a customer base of over 35,000 organizations—including critical infrastructure and government agencies—Ivanti’s software is deeply embedded in many operational environments worldwide.
📖 Estimated Reading Time: 4 minutes
Content
Introduction
Ivanti has become a major player in enterprise IT management, offering solutions that span from asset management to endpoint security, mobile device management, and beyond. With a customer base of over 35,000 organizations—including critical infrastructure and government agencies—Ivanti’s software is deeply embedded in many operational environments worldwide.
However, with that prominence comes a growing risk profile. Over the past several years, Ivanti products have been repeatedly targeted by attackers exploiting critical vulnerabilities—some with nation-state backing—impacting sectors from finance to defense. Much attention has been given to flaws in products like Ivanti Connect Secure (formerly Pulse Secure VPN), but less so to vulnerabilities in other components of their ecosystem.
In this article, we’re focusing on Ivanti Avalanche, their mobile device management (MDM) platform. While MDM may not be the flashiest attack surface, vulnerabilities here can have real operational consequences—especially in industrial and field environments where mobile devices are tightly integrated into day-to-day workflows. Recent CVEs (CVE-2024-13179, -13180, and -13181) highlight new unauthenticated path traversal vulnerabilities that, if exploited, could give attackers access to sensitive files or let them bypass authentication altogether.
Let’s dive into the specifics of these flaws, explore how they map to known attack frameworks, and review mitigation guidance from both Ivanti and best-practice cybersecurity controls.
Timeline of Vulnerabilities
2020 – Widespread Exploitation of CVE-2019-11510
Vulnerabilities: CVE-2019-11510 (Arbitrary File Read)
Targets: Multiple private enterprises, educational institutions, and government entities worldwide.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a
2021 - Pulse Secure VPN (now Ivanti Connect Secure) Exploits
Vulnerabilities: Multiple, including CVE-2021-22893
Targets: Suspected Chinese state-backed hacker groups exploited these vulnerabilities to breach multiple government agencies, defense companies, and financial institutions in the U.S. and Europe.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a
2024 – Multiple Zero-Day Vulnerabilities in Ivanti Connect Secure & Policy Secure
Vulnerabilities:
CVE-2023-46805 (Authentication Bypass)
CVE-2024-21887 (Command Injection)
CVE-2024-21888 (Privilege Escalation)
CVE-2024-21893 (Server-Side Request Forgery - SSRF)
Targets:
U.S. and international government agencies
Critical infrastructure (including defense and energy sectors)
Private enterprises
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
January 2025 – New Vulnerabilities in Ivanti Connect Secure
Vulnerabilities: CVE-2025-0282 and CVE-2025-0283.
Targets: Assessment ongoing; indications of state-sponsored interest.
Source: Google Cloud Threat Intelligence
Vulnerabilities in Ivanti Avalanche (CVE-2024-13179 / 13180 / 13181)
While many vulnerabilities in Ivanti products have gained attention due to their impact on government systems or data confidentiality, these specific flaws—CVE-2024-13179, CVE-2024-13180, and CVE-2024-13181—affect Avalanche directly and pose a substantial threat to enterprise operations. An attacker exploiting them could target the availability and integrity of the device management infrastructure itself.
Notably, these vulnerabilities do not require authentication, making them especially dangerous for any instance of Avalanche exposed to the internet or reachable through a compromised internal network.
Technical Details
CVE-2024-13179 / CVE-2024-13181 – Authentication Bypass via Path Traversal
Both CVE-2024-13179 and CVE-2024-13181 describe similar path traversal vulnerabilities present in Ivanti Avalanche versions prior to 6.4.7. By crafting specific HTTP requests that include traversal sequences like ../, an unauthenticated attacker can access restricted internal files and endpoints that are typically protected.
In the case of CVE-2024-13179 and 13181, the impact is particularly critical: they enable bypassing the authentication layer altogether. That means an attacker can access admin-level functionality or sensitive endpoints without valid credentials.
CVE-2024-13180 – Sensitive Data Exposure via Path Traversal
This CVE also leverages path traversal but focuses on information disclosure. A remote attacker can access configuration files, logs, credentials, or other sensitive internal data. Depending on the deployment, this can lead to further privilege escalation or lateral movement within the network.
At the time of writing, no known in-the-wild exploitation or public proof-of-concept (PoC) exists for these vulnerabilities. However, given the ease of exploitation (unauthenticated and remotely reachable), the window for detection and remediation is narrow once an exploit surfaces.
Path Traversal Primer
Path traversal, or directory traversal, occurs when user-controlled input is used to construct file paths without proper sanitization. By injecting sequences such as ../../../../../etc/passwd, an attacker can trick the application into accessing files outside the intended directory scope.
In web applications like Avalanche, this typically manifests in improperly handled HTTP request parameters or URL paths—allowing attackers to reach files on the underlying server filesystem, or bypass authorization checks that rely on obscured paths.
A Glimpse at Real-World Exploitation
While these CVEs are distinct, it's worth noting a past demo by the Zero Day Initiative in 2021 showing an authentication bypass in Ivanti Avalanche. Although it’s a separate vulnerability, it illustrates the potential for Avalanche’s web interface to be exploited remotely with minimal access or technical hurdles.
The key takeaway: vulnerabilities in MDM platforms like Avalanche—while less glamorous than VPN exploits—can pose real risks to business continuity, especially in environments where device uptime is tightly coupled to industrial operations.
Mitre ATT&CK Mapping and Cyber Kill Chain
Tactic | Technique | Technique Name | Context |
|---|---|---|---|
Initial Access | T0819 | Exploit Public-Facing Application | Avalanche is commonly exposed via web interfaces; unauthenticated attackers could exploit these path traversal flaws directly. |
Persistence | T0859 | Valid Accounts | If sensitive credentials are extracted via traversal, attacker could create persistent admin sessions. |
Discovery | T0846 | Remote System Discovery | Once internal files are exposed, attackers may enumerate systems, devices and networks. |
Impact | T0826 / T0827 | Loss of availability / Loss of control | Sensitive leakage or configuration tampering could affect MDM functionality or operational environments. |
Mitigations
IP whitelisting & blacklisting
MFA enabled for critical commands
Specific Ivanti & Cise recommendations:
Ivanti
• Apply appropriate updates provided by Ivanti to vulnerable systems immediately after appropriate testing. (**M1051: Update Software**)
Cise
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (**M1026: Privileged Account Management**)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Other blog posts from Trout