CVE-2023-32560

CRITICAL

Ivanti Avalanche < 6.4.1 - Remote Code Execution via Crafted Message

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2023-32560. PoCs published by Robel Campbell, idkwastaken, x0rb3l, including Metasploit module exploits/windows/misc/ivanti_avalanche_mdm_bof.

AI-analyzed exploit summary This exploit targets Ivanti Avalanche <v6.4.0.0 via a crafted network message to achieve remote code execution. It leverages a stack-based buffer overflow with a ROP chain and embedded shellcode for a reverse TCP shell.

Description

An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in service disruption or arbitrary code execution. Thanks to a Researcher at Tenable for finding and reporting. Fixed in version 6.4.1.

Exploits (4)

exploitdb WORKING POC
by Robel Campbell · pythonremotewindows
https://www.exploit-db.com/exploits/51699

This exploit targets Ivanti Avalanche <v6.4.0.0 via a crafted network message to achieve remote code execution. It leverages a stack-based buffer overflow with a ROP chain and embedded shellcode for a reverse TCP shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Avalanche <v6.4.0.0
No auth needed
Prerequisites: Network access to target port 1777 · Target running vulnerable Ivanti Avalanche version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by idkwastaken · poc
https://github.com/idkwastaken/CVE-2023-32560

This repository contains a functional exploit for CVE-2023-32560, targeting Ivanti Avalanche <v6.4.0.0. The exploit leverages a buffer overflow vulnerability to achieve remote code execution via a crafted network message with embedded shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Avalanche <v6.4.0.0
No auth needed
Prerequisites: Network access to target on port 1777 · Target running vulnerable version of Ivanti Avalanche
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by x0rb3l · poc
https://github.com/x0rb3l/CVE-2023-32560

This is a functional proof-of-concept exploit for CVE-2023-32560, targeting Ivanti Avalanche v6.4.0.0. It leverages a buffer overflow vulnerability to achieve remote code execution by sending a maliciously crafted packet to the target service on port 1777.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Avalanche v6.4.0.0
No auth needed
Prerequisites: Network access to the target service on port 1777 · Target software running Ivanti Avalanche v6.4.0.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ivanti_avalanche_mdm_bof.rb

This Metasploit module exploits a buffer overflow in Ivanti Avalanche MDM (CVE-2023-32560) by sending a crafted packet to port 1777, leveraging a ROP chain to bypass DEP and achieve arbitrary code execution with SYSTEM privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Avalanche MDM <= v6.4.0.0
No auth needed
Prerequisites: Network access to port 1777 on the target system
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9892
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-20 CWE-787
Status published
Products (1)
ivanti/avalanche < 6.4.1
Published Aug 10, 2023
Tracked Since Feb 18, 2026