CVE-2024-13813

High

Published: 11 February 2025

Published

11 February 2025

Modified

20 February 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0017 37.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficient permissions in Ivanti Secure Access Client before version 22.8R1 allows a local authenticated attacker to delete arbitrary files.

Security Summary

CVE-2024-13813 is an insufficient permissions vulnerability (CWE-732) affecting Ivanti Secure Access Client in versions before 22.8R1. The issue stems from inadequate access controls that enable unauthorized file operations. It carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and was published on 2025-02-11.

A local authenticated attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction. Exploitation allows deletion of arbitrary files on the system, resulting in high integrity and availability impacts, such as data loss or service disruption, though confidentiality remains unaffected.

Ivanti's February Security Advisory covers this CVE alongside others in Ivanti Connect Secure, Policy Secure, and Secure Access Client, recommending an upgrade to version 22.8R1 or later to mitigate the issue. Full details are available at https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs.

Details

CWE(s): CWE-732

Affected Products

ivanti

secure access client

≤ 22.8

References

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75