CVE-2024-13813 – CVE-2024-13813 is an insufficient permissions v... (How to Fix)

Q: What is the severity of CVE-2024-13813?

CVE-2024-13813 has a CVSS score of 7.1 (HIGH). CVE-2024-13813 is an insufficient permissions vulnerability in Ivanti Secure Access Client that allows local authenticated attackers to delete arbitrary files. This affects organizations using Ivanti Secure Access Client versions before 22.8R1 for remote access. Attackers must have local authenticated access to the system to exploit this vulnerability.

📋 TL;DR

CVE-2024-13813 is an insufficient permissions vulnerability in Ivanti Secure Access Client that allows local authenticated attackers to delete arbitrary files. This affects organizations using Ivanti Secure Access Client versions before 22.8R1 for remote access. Attackers must have local authenticated access to the system to exploit this vulnerability.

💻 Affected Systems

Products:

Ivanti Secure Access Client

Versions: All versions before 22.8R1

Operating Systems: Windows, Linux, macOS (where Ivanti Secure Access Client is installed)

Default Config Vulnerable: ⚠️ Yes

Notes: This affects the Ivanti Secure Access Client software itself, not the Ivanti Connect Secure or Policy Secure gateways. The vulnerability exists in the client software installed on endpoints.

📦 What is this software?

Secure Access Client by Ivanti

View all CVEs affecting Secure Access Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could delete critical system files, configuration files, or user data, potentially causing system instability, data loss, or service disruption.

🟠

Likely Case

Malicious insiders or compromised accounts could delete specific files to disrupt operations, destroy evidence, or cause targeted damage to the system.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to files accessible to the user's account, with detection of suspicious file deletion activities.

🌐 Internet-Facing: LOW - This requires local authenticated access, so internet-facing systems are not directly vulnerable unless attackers first gain local access through other means.

🏢 Internal Only: MEDIUM - Internal users with authenticated access can exploit this, but it requires local system access rather than network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local authenticated access to the system where Ivanti Secure Access Client is installed. The attacker must have valid credentials and local access to execute the file deletion.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 22.8R1 and later

Vendor Advisory: https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs

Restart Required: No

Instructions:

1. Download Ivanti Secure Access Client version 22.8R1 or later from the Ivanti support portal. 2. Install the updated client on all affected endpoints. 3. Verify the installation completed successfully.

🔧 Temporary Workarounds

Restrict local user permissions

all

Limit local user account permissions to reduce the impact of file deletion capabilities

🧯 If You Can't Patch

Implement strict access controls to limit which users can access systems with Ivanti Secure Access Client installed
Enable detailed file system auditing and monitoring to detect unauthorized file deletion attempts

🔍 How to Verify

Check if Vulnerable:

Check the Ivanti Secure Access Client version in the application's about section or via the command line interface

Check Version:

On Windows: Check program version in Control Panel > Programs and Features. On Linux/macOS: Check the application version in the GUI or via package manager.

Verify Fix Applied:

Verify the installed version is 22.8R1 or later and test that file deletion permissions are properly restricted

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion events in system logs
Multiple failed file deletion attempts
File deletion activities from Ivanti Secure Access Client processes

Network Indicators:

This is a local vulnerability with minimal network indicators

SIEM Query:

EventID=4663 (Windows File Delete) OR syslog entries showing file deletion from Ivanti processes

📊 Metadata

CVE ID: CVE-2024-13813

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-732

EPSS Score: 0.1% exploit probability (28.4th percentile)

Published: February 11, 2025

Last Updated: February 20, 2025

🔗 References

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13813, you might also want to check these: