Ivanti Avalanche
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Ivanti Avalanche.
By the Year
In 2026 there have been 0 vulnerabilities in Ivanti Avalanche. Last year, in 2025 Avalanche had 6 security vulnerabilities published. Right now, Avalanche is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 6 | 9.03 |
| 2024 | 45 | 7.79 |
| 2023 | 38 | 8.84 |
| 2022 | 1 | 7.50 |
| 2021 | 10 | 8.93 |
| 2020 | 1 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 2 | 7.15 |
It may take a day or so for new Avalanche vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Ivanti Avalanche Security Vulnerabilities
SQL Injection RCE in Ivanti Avalanche v<6.4.8.8008
CVE-2025-8296
- August 12, 2025
SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution
SQL Injection
IVANTI AVALANCHE RCE via Incomplete Config Restriction before v6.4.8.8008
CVE-2025-8297
- August 12, 2025
Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution
Unrestricted File Upload
Ivanti Avalanche Manager <6.4.1 Buffer Overflow Causing Exploits
CVE-2023-38036
- July 12, 2025
A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.
Ivanti Avalanche <6.4.7 Path Traversal bypass auth
CVE-2024-13179
9.8 - Critical
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
Path Traversal in Ivanti Avalanche <6.4.7 (unauthenticated remote leak)
CVE-2024-13180
7.5 - High
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. This CVE addresses incomplete fixes from CVE-2024-47011.
Directory traversal
Path Traversal in Ivanti Avalanche <6.4.7 Remote Auth Bypass
CVE-2024-13181
9.8 - Critical
- January 14, 2025
Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. This CVE addresses incomplete fixes from CVE-2024-47010.
Directory traversal
Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability
CVE-2024-50317
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
Ivanti Avalanche Null Pointer Dereference Denial of Service Vulnerability
CVE-2024-50318
7.5 - High
- November 12, 2024
A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50319
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50320
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Infinite Loop Denial of Service Vulnerability
CVE-2024-50321
7.5 - High
- November 12, 2024
An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service.
Infinite Loop
Ivanti Avalanche Out-of-Bounds Read Information Disclosure Vulnerability
CVE-2024-50331
7.5 - High
- November 12, 2024
An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory.
Out-of-bounds Read
Null-Pointer Deref in Ivanti Avalanche <6.4.5 (WLAvalancheService.exe)
CVE-2024-47007
7.5 - High
- October 08, 2024
A NULL pointer dereference in WLAvalancheService.exe of Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to cause a denial of service.
NULL Pointer Dereference
SRS in Ivanti Avalanche before 6.4.5: Remote Information Leak
CVE-2024-47008
7.5 - High
- October 08, 2024
Server-side request forgery in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information.
SSRF
Path Trv. in Ivanti Avalanche <6.4.5 Unauth Auth Bypass
CVE-2024-47009
9.8 - Critical
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
Path Traversal in Ivanti Avalanche <6.4.5 Unauth Auth Bypass
CVE-2024-47010
9.8 - Critical
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
Directory traversal
Path Traversal in Ivanti Avalanche (pre-6.4.5)
CVE-2024-47011
7.5 - High
- October 08, 2024
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to leak sensitive information
Directory traversal
Ivanti Avalanche 6.3.1: Path Traversal in Skin Mgmt Enables File Delete DoS
CVE-2024-38652
9.1 - Critical
- August 14, 2024
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
Directory traversal
Ivanti Avalanche 6.3.1: WLInfoRailService Off-by-One DoS (CVE-2024-36136)
CVE-2024-36136
7.5 - High
- August 14, 2024
An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
off-by-five
RCE via Improper Input in Ivanti Avalanche 6.3.1 Central Filestore
CVE-2024-37373
7.2 - High
- August 14, 2024
Improper input validation in the Central Filestore in Ivanti Avalanche 6.3.1 allows a remote authenticated attacker with admin rights to achieve RCE.
NULL Pointer Deref. in WLAvalancheService causing DoS in Ivanti Avalanche 6.3.1
CVE-2024-37399
7.5 - High
- August 14, 2024
A NULL pointer dereference in WLAvalancheService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.
NULL Pointer Dereference
XXE in SmartDeviceServer of Ivanti Avalanche 6.3.1 Remote File Read
CVE-2024-38653
7.5 - High
- August 14, 2024
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
XXE
Unrestricted File Upload in Ivanti Avalanche 6.4.x Enables SYSTEM Exec
CVE-2024-29848
7.2 - High
- May 31, 2024
An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.
Out-of-Bounds Read in WLAvalancheService (Ivanti Avalanche <6.4.3)
CVE-2024-23527
7.5 - High
- April 25, 2024
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.
OOB Read CVE-2024-23532 in Ivanti Avalanche <6.4.3 (WLAvalancheService)
CVE-2024-23532
7.5 - High
- April 19, 2024
An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution.
Path Traversal in Ivanti Avalanche<6.4.3 Web Comp Allows Remote Deletion
CVE-2024-27977
8.1 - High
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service.
Null Pointer Deref in Ivanti Avalanche WLA Service < 6.4.3 (DOs)
CVE-2024-27978
6.5 - Medium
- April 19, 2024
A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.
Ivanti Avalanche 6.x Web Component Path Traversal Deletion/DoS (CVE-2024-27984)
CVE-2024-27984
7.1 - High
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service.
Heap Overflow in Ivanti Avalanche WLAvalancheService before 6.4.3
CVE-2024-29204
- April 19, 2024
A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
Heap-based Buffer Overflow
Ivanti Avalanche < 6.4.3 Integer Overflow in WLInfoRailService DoS
CVE-2024-23531
7.5 - High
- April 19, 2024
An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory.
OOB Read in Ivanti Avalanche WLAvalancheService before 6.4.3
CVE-2024-23530
7.5 - High
- April 19, 2024
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.
Out-of-Bounds Read in WLAvalancheService of Ivanti Avalanche v<6.4.3
CVE-2024-23529
7.5 - High
- April 19, 2024
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.
OOB Read in Ivanti Avalanche WLAvalancheService before 6.4.3
CVE-2024-23528
7.5 - High
- April 19, 2024
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.
IVANTI AVALANCHE OOB Read in WLAvalancheService <6.4.3
CVE-2024-23526
7.5 - High
- April 19, 2024
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory.
Heap Overflow WLInfoRailService Ivanti Avalanche <6.4.3 Remote Cmd Exec
CVE-2024-22061
9.8 - Critical
- April 19, 2024
A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands
Ivanti Avalanche <6.4.3 Path Traversal Allowing Authenticated Remote Execution
CVE-2024-27976
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Directory traversal
Use-after-free in Ivanti Avalanche WLAvalancheService (6.4.3)
CVE-2024-27975
- April 19, 2024
An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Dangling pointer
Ivanti Avalanche <6.4.3: Path Traversal Enables Remote System Cmd
CVE-2024-25000
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Directory traversal
Ivanti Avalanche <6.4.3 Web PathTraversal Allows Authenticated SYSTEM Exec
CVE-2024-24999
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Directory traversal
Path Traversal in Ivanti Avalanche Web Comp Before 6.4.3: Remote Exec as SYS
CVE-2024-24998
8.8 - High
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Path Traversal in Ivanti Avalanche <6.4.3 enabling remote auth to SYSTEM exec
CVE-2024-24997
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Directory traversal
Heap Overflow in Ivanti Avalanche WLInfoRailService <6.4.3 Exploitable
CVE-2024-24996
9.8 - Critical
- April 19, 2024
A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands.
Ivanti Avalanche Web Component TOCTOU Race, prior to 6.4.3 allows RCE as SYSTEM
CVE-2024-24995
- April 19, 2024
A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
TOCTTOU
Path Traversal in Ivanti Avalanche Web Component (before 6.4.3) Enables RCE
CVE-2024-24994
8.8 - High
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Ivanti Avalanche <6.4.3 TOCTOU Race Condition for Remote Auth Cmd Exec as SYSTEM
CVE-2024-24993
7.5 - High
- April 19, 2024
A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Path Traversal in Ivanti Avalanche Web Component before 6.4.3
CVE-2024-24992
8.8 - High
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Out-of-bounds read in WLAvalancheService before 6.4.3 (Ivanti Avalanche)
CVE-2024-23533
6.5 - Medium
- April 19, 2024
An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory.
Ivanti Avalanche <6.4.3 Null Ptr Deref in WLAvalancheService Causing DOS
CVE-2024-24991
6.5 - Medium
- April 19, 2024
A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks.
Ivanti Avalanche < 6.4.3 Path Traversal Remote Authenticated Command Execution
CVE-2024-23535
- April 19, 2024
A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Directory traversal
Ivanti Avalanche 6.4.3 Unrestricted FileUpload RCE as SYSTEM
CVE-2024-23534
- April 19, 2024
An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM.
Unrestricted File Upload
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Ivanti Avalanche or by Ivanti? Click the Watch button to subscribe.
