Login Sign Up

CVE-2023-46265

9.8 CRITICAL
SSRF XXE

📋 TL;DR

This critical vulnerability allows unauthenticated attackers to exploit an XML External Entity (XXE) vulnerability in the Smart Device Server, potentially leading to data leakage or Server-Side Request Forgery (SSRF). Systems running vulnerable versions of Ivanti Avalanche are affected, particularly those with the Smart Device Server component exposed.

💻 Affected Systems

Products:
  • Ivanti Avalanche
Versions: Versions prior to 6.4.2
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the Smart Device Server component of Ivanti Avalanche. Default installations are vulnerable.

📦 What is this software?

Avalanche by Ivanti

View all CVEs affecting Avalanche →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through SSRF to internal services, sensitive data exfiltration via XXE, and potential lateral movement within the network.

🟠

Likely Case

Unauthenticated attackers reading sensitive files from the server and making requests to internal services, potentially exposing credentials or internal infrastructure.

🟢

If Mitigated

Limited impact if proper network segmentation and input validation are in place, though the vulnerability remains exploitable.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XXE vulnerabilities are well-understood and frequently weaponized. The unauthenticated nature makes this particularly dangerous.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.2

Vendor Advisory: https://download.wavelink.com/Files/avalanche_v6.4.2_release_notes.txt

Restart Required: Yes

Instructions:

1. Download Ivanti Avalanche version 6.4.2 from the vendor portal. 2. Backup current configuration and data. 3. Run the installer to upgrade to version 6.4.2. 4. Restart the Avalanche services.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to the Smart Device Server to only trusted sources

Disable External Entity Processing

all

Configure XML parsers to disable external entity resolution

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Deploy web application firewall with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check Avalanche version in administration console. If version is below 6.4.2, the system is vulnerable.

Check Version:

Check via Avalanche web interface: Administration > System Information

Verify Fix Applied:

Confirm version is 6.4.2 or higher in administration console and test XXE payloads are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors
  • Requests with XML content to Smart Device Server endpoints
  • Outbound connections from server to unexpected internal services

Network Indicators:

  • HTTP requests containing XML external entity declarations
  • Unusual outbound traffic patterns from the Avalanche server

SIEM Query:

source="avalanche" AND (message="*XXE*" OR message="*external entity*" OR message="*DOCTYPE*")

📊 Metadata

CVE ID: CVE-2023-46265
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-611
Published: December 19, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46265, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)