CVE-2023-32563: 
Ivanti Avalanche vulnerability analysis and mitigation

CVE-2023-32563 is a critical vulnerability in Ivanti Avalanche that allows an unauthenticated attacker to achieve remote code execution through a RemoteControl server. The vulnerability was discovered in May 2023 and affects Avalanche versions up to (excluding) 6.4.1 (NVD, ZDI).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The specific flaw exists within the updateSkin method and results from the lack of proper validation of a user-supplied path prior to using it in file operations. It is categorized as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, ZDI).

An attacker can leverage this vulnerability to execute code in the context of SYSTEM, potentially gaining complete control over the affected system. The vulnerability's critical severity rating indicates that successful exploitation could lead to a full compromise of the target system (ZDI).

Ivanti has released version 6.4.1 of Avalanche to address this vulnerability. Organizations using affected versions should upgrade to version 6.4.1 or later to mitigate the risk (ZDI).