CVE-2023-46222: 
Ivanti Avalanche vulnerability analysis and mitigation

An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result in a Denial of Service (DoS) or code execution in Ivanti Avalanche. This critical vulnerability (CVE-2023-46222) affects all supported versions of Avalanche 6.3.1 and above, as well as older versions (Ivanti Blog).

CVE-2023-46222 is a stack-based buffer overflow remote code execution vulnerability in the Ivanti Avalanche WLAvalancheService component. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

The vulnerability allows attackers to potentially achieve remote code execution or cause denial of service conditions on affected systems. Given the critical CVSS score of 9.8, successful exploitation could lead to complete system compromise, allowing attackers to execute arbitrary code with the highest privileges (Arctic Wolf).

Ivanti has released version 6.4.2.313 of Avalanche to address this vulnerability along with several other security issues. Organizations are strongly recommended to upgrade to this latest version to protect against potential exploitation. The fix is available in the Avalanche 6.4.2 release (Release Notes).