CVE-2022-36974: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2022-36974 is a critical vulnerability discovered in Ivanti Avalanche version 6.3.2.3490. The vulnerability allows remote attackers to execute arbitrary code on affected installations. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed (Zero Day Initiative).

The vulnerability exists within the Web File Server service of Ivanti Avalanche. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (Zero Day Initiative, NVD).

An attacker can leverage this vulnerability to execute arbitrary code in the context of the service account. Given the critical CVSS score and the ability to bypass authentication, successful exploitation could lead to complete system compromise (Zero Day Initiative).

Ivanti has released version 6.3.4 to address this vulnerability. The fix is documented in the release notes, specifically addressing ZDI-CAN-15330 which corresponds to this CVE (Avalanche Release Notes).