CVE-2023-28126: 
Ivanti Avalanche vulnerability analysis and mitigation

An authentication bypass vulnerability (CVE-2023-28126) was discovered in Ivanti Avalanche versions 6.3.x and below. The vulnerability was reported on March 10, 2023, and publicly disclosed on May 9, 2023. The vulnerability affects Ivanti Avalanche Enterprise Server installations and allows attackers to bypass authentication through the SetUser method or by exploiting a race condition in the authentication message (NVD, ZDI).

The vulnerability exists within the GetSettings class and stems from the exposure of a dangerous method or function to unprivileged users. The issue has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is associated with CWE-362 (Race Condition) and CWE-305 (Authentication Bypass by Primary Weakness) (NVD, ZDI).

When successfully exploited, this vulnerability allows attackers to bypass authentication mechanisms on affected systems, potentially gaining unauthorized access to the Avalanche Enterprise Server. The CVSS scoring indicates high confidentiality impact but no direct impact on integrity or availability (ZDI).

Ivanti has released updates to address this vulnerability. Users are advised to upgrade their Avalanche installations to versions newer than 6.3.x (ZDI).