Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-32560

CVE-2023-32560: Ivanti Avalanche RCE Vulnerability

CVE-2023-32560 is a remote code execution vulnerability in Ivanti Avalanche that allows attackers to execute arbitrary code or disrupt services. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2023-32560 Overview

CVE-2023-32560 is a stack-based buffer overflow vulnerability in the Wavelink Avalanche Manager component of Ivanti Avalanche. An attacker can send a specially crafted message to the service, triggering an out-of-bounds write that leads to service disruption or arbitrary code execution. The flaw is remotely exploitable without authentication or user interaction, and Ivanti credits a researcher at Tenable with finding and reporting the issue. Ivanti addressed the vulnerability in Avalanche version 6.4.1.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on Ivanti Avalanche Manager servers by sending crafted network messages, exposing enterprise mobility management infrastructure to full compromise.

Affected Products

  • Ivanti Avalanche (Wavelink Avalanche Manager) versions prior to 6.4.1
  • Deployments exposing the Avalanche Manager service to untrusted networks
  • Enterprise mobility management (EMM) environments using affected Avalanche releases

Discovery Timeline

  • 2023-08-10 - CVE-2023-32560 published to the National Vulnerability Database (NVD)
  • 2025-03-06 - Last updated in NVD database

Technical Details for CVE-2023-32560

Vulnerability Analysis

The vulnerability is an out-of-bounds write [CWE-787] combined with improper input validation [CWE-20] in the Wavelink Avalanche Manager message-handling code. The Avalanche Manager component processes messages received over the network from agents and clients. When parsing certain crafted messages, the service writes attacker-controlled data past the bounds of a fixed-size stack buffer.

Because the corrupted memory region resides on the stack, an attacker can overwrite saved return addresses, exception handlers, or adjacent stack variables. This corruption either terminates the service (denial of service) or steers execution into attacker-supplied shellcode, achieving arbitrary code execution under the privileges of the Avalanche Manager process. The flaw requires no authentication and no user interaction.

Public proof-of-concept exploits demonstrating both remote code execution and the underlying buffer overflow are available through Packet Storm. The EPSS model places this vulnerability in the top tier for likelihood of exploitation, reflecting active interest from offensive tooling.

Root Cause

The root cause is missing length validation on attacker-controlled fields before they are copied into a fixed-size stack buffer inside the Avalanche Manager message parser. The service trusts size fields supplied by the remote client and performs a memory copy without verifying that the source data fits the destination buffer.

Attack Vector

The attack vector is network-based. An attacker reaches the Avalanche Manager listening port and transmits a crafted message containing an oversized field or malformed length value. Successful exploitation does not require credentials, user interaction, or prior access to the target environment.

No verified code samples are published by the vendor. Technical exploitation details are documented in the Packet Storm RCE Exploit and Packet Storm Buffer Overflow advisories.

Detection Methods for CVE-2023-32560

Indicators of Compromise

  • Unexpected crashes, restarts, or Windows error reporting events for the Avalanche Manager service process
  • Inbound traffic to Avalanche Manager service ports originating from unmanaged hosts or external networks
  • Child processes spawned by the Avalanche Manager service that are inconsistent with normal operation, such as cmd.exe, powershell.exe, or rundll32.exe
  • Outbound connections from the Avalanche server to unfamiliar IP addresses shortly after anomalous inbound traffic

Detection Strategies

  • Monitor process lineage on Avalanche servers and alert on any non-standard child process created by the Avalanche Manager service
  • Inspect Windows Event Logs for application crashes, access violations, and stack buffer overrun events tied to Avalanche binaries
  • Deploy network signatures that flag oversized or malformed messages targeting Avalanche Manager listening ports

Monitoring Recommendations

  • Restrict and log all network access to Avalanche Manager ports, alerting on connections from outside the management subnet
  • Forward Avalanche application, system, and security logs to a centralized SIEM for correlation with endpoint telemetry
  • Track service uptime and unexpected restarts that may indicate failed exploitation attempts

How to Mitigate CVE-2023-32560

Immediate Actions Required

  • Upgrade Ivanti Avalanche to version 6.4.1 or later, which contains the vendor fix
  • Place Avalanche Manager servers behind firewall rules that restrict access to trusted management networks only
  • Audit Avalanche servers for signs of prior exploitation, including unexpected service crashes and anomalous child processes
  • Rotate credentials and service account secrets used by Avalanche if compromise is suspected

Patch Information

Ivanti fixed CVE-2023-32560 in Avalanche version 6.4.1. Refer to the Ivanti Vulnerabilities Advisory for the complete list of addressed issues and upgrade guidance. Apply the update on all Avalanche Manager instances, including high-availability and disaster-recovery nodes.

Workarounds

  • Where immediate patching is not possible, block external access to Avalanche Manager service ports at the perimeter and host firewall
  • Limit Avalanche Manager exposure to a dedicated management VLAN reachable only by authorized administrators and managed devices
  • Disable or isolate any unused Avalanche Manager components to reduce the attack surface until the upgrade is applied
bash
# Example Windows firewall rule restricting Avalanche Manager access to a trusted management subnet
netsh advfirewall firewall add rule name="Avalanche Manager - Restrict Inbound" ^
  dir=in action=allow protocol=TCP localport=<AvalanchePort> ^
  remoteip=10.10.20.0/24 profile=any

netsh advfirewall firewall add rule name="Avalanche Manager - Block Other Inbound" ^
  dir=in action=block protocol=TCP localport=<AvalanchePort>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne