What is CVE-2023-32560?

CVE-2023-32560 is a high-severity vulnerability in Ivanti Avalanche. CVSS score: 8.8/10. Published 2023-08-10.

How severe is CVE-2023-32560?

High severity. CVSS v3 base score is 8.8 out of 10.

Is CVE-2023-32560 known to be exploited?

6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Ivanti Avalanche

CVE-2023-32560

An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

EPSS: 0.922 (99.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Ivanti Avalanche — versions 6.4.1

Public proof-of-concept exploits

idkwastaken/CVE-2023-32560
x0rb3l/CVE-2023-32560
rapid7/metasploit-framework
20142995/nuclei-templates
cyb3r-w0lf/nuclei-template-collection
nomi-sec/PoC-in-GitHub

References

forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1
packetstormsecurity.com/files/174459/Ivanti-Avalance-Remote-Code-Execution.html
packetstormsecurity.com/files/174698/Ivanti-Avalanche-MDM-Buffer-Overflow.html

Frequently asked questions

What is CVE-2023-32560?: CVE-2023-32560 is a high-severity vulnerability in Ivanti Avalanche. CVSS score: 8.8/10. Published 2023-08-10.
How severe is CVE-2023-32560?: High severity. CVSS v3 base score is 8.8 out of 10.
Is CVE-2023-32560 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.