Threat Advisory

Critical Vulnerability in Ivanti’s Avalanche Enterprise MDM Solution

August 25, 2023 | By Accorian

Ivanti, a leading technology company that offers IT asset management, security, endpoint, and supply chain solutions has released patches for seven critical and high-severity vulnerabilities in Avalanche, its Enterprise Mobile Device Management (MDM) solution. Among the vulnerabilities is the directory traversal flaw tracked down as CVE-2023-32563. It’s the most severe of the flaws with a CVSS score of 9.8.

The MDM solution’s updateSkin function has this directory traversal flaw that can be exploited without authentication. The problem arises from a user-supplied path not being properly validated before being used in file operations. This vulnerability can be misused by an attacker to execute remote codes.
The release also addressed multiple stack-based buffer overflow bugs collectively tracked down as CVE-2023-32560 with a CVSS score of 8.8. These were discovered in the Wavelink Avalance Manager, which processes data using a fixed-size stack-based buffer. By delivering a specially written message to the service, an adversary can take advantage of this and potentially cause code execution or disrupt the service.

In addition, two other high-severity remote code execution vulnerabilities CVE-2023-32562 and CVE-2023-32564 and three authentication bypass flaws CVE-2023-32561, CVE-2023-32565, and CVE-2023-32566 present in various components of the MDM solution were patched.
Although none of these problems have been reported as being exploited in the wild, Accorian strongly recommends that all users of Avalanche update it to version, released earlier this month.

For any further assistance, kindly reachout to us on

Source: Ivanti Patches Critical Vulnerability in Avalanche Enterprise MDM Solution – SecurityWeek

Threat Advisory

Team Accorian

Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide