CVE-2023-41727: 
Ivanti Avalanche vulnerability analysis and mitigation

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result in a Denial of Service (DoS) or code execution. This critical vulnerability (CVE-2023-41727) affects Ivanti Avalanche versions up to 6.4.2 and was discovered by researchers at Tenable. The vulnerability was patched in Avalanche version 6.4.2 released in December 2023 (Release Notes, Arctic Wolf).

The vulnerability is classified as an unauthenticated buffer overflow with a CVSS v3.1 base score of 9.8 (Critical). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability is tracked as CWE-787 (Out-of-bounds Write) (NVD).

If successfully exploited, this vulnerability could allow an attacker to cause memory corruption leading to either a Denial of Service condition, disrupting the availability of the Mobile Device Server, or potentially achieve arbitrary code execution on the affected system (NVD).

The vulnerability has been patched in Ivanti Avalanche version 6.4.2. Organizations are strongly recommended to upgrade to this version to address this and other security vulnerabilities. The fix was released as part of a security update that addressed multiple critical vulnerabilities (Release Notes, Arctic Wolf).