Login Sign Up

CVE-2023-32564

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to upload malicious files to Avalanche systems, leading to remote code execution. It affects Ivanti Avalanche versions 6.4.1 and earlier. Attackers can potentially take full control of affected systems.

💻 Affected Systems

Products:
  • Ivanti Avalanche
Versions: 6.4.1 and earlier
Operating Systems: Windows Server (typically)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments with vulnerable versions regardless of configuration.

📦 What is this software?

Avalanche by Ivanti

View all CVEs affecting Avalanche →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal data, deploy ransomware, or pivot to other network systems.

🟠

Likely Case

Attackers gain initial foothold on the system, install backdoors, and establish persistence for further malicious activities.

🟢

If Mitigated

Attack blocked at perimeter or detected early, limiting impact to isolated system with minimal data exposure.

🌐 Internet-Facing: HIGH - Web interface accessible from internet allows direct exploitation without internal access.
🏢 Internal Only: HIGH - Even internally accessible systems can be exploited by compromised internal accounts or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Unrestricted file upload vulnerabilities are commonly exploited and weaponized quickly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.2 or later

Vendor Advisory: https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1?language=en_US

Restart Required: Yes

Instructions:

1. Download Avalanche 6.4.2 or later from Ivanti portal. 2. Backup current configuration. 3. Install the update following Ivanti's upgrade documentation. 4. Restart the Avalanche service.

🔧 Temporary Workarounds

Restrict File Upload Types

all

Configure web application firewall or reverse proxy to block dangerous file types (.exe, .dll, .php, .jsp, etc.)

Network Segmentation

all

Isolate Avalanche servers from internet and restrict internal access to authorized networks only.

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Deploy application-level controls to validate and sanitize all file uploads

🔍 How to Verify

Check if Vulnerable:

Check Avalanche version in web interface or installation directory. Versions 6.4.1 or earlier are vulnerable.

Check Version:

Check Avalanche web interface > Help > About or examine installation directory version files.

Verify Fix Applied:

Verify version is 6.4.2 or later and test file upload functionality with restricted file types.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to Avalanche web interface
  • Execution of unexpected processes from Avalanche directories
  • Failed file upload attempts with dangerous extensions

Network Indicators:

  • HTTP POST requests with file uploads to Avalanche endpoints
  • Outbound connections from Avalanche server to unknown external IPs

SIEM Query:

source="avalanche.log" AND ("upload" OR "file") AND ("exe" OR "dll" OR "php" OR "jsp")

📊 Metadata

CVE ID: CVE-2023-32564
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: August 10, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32564, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)