Cyber Resilience

CVE-2023-28127

High

Published: 09 May 2023

Published
09 May 2023
Modified
28 January 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0599 90.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28127 is a high-severity Path Traversal (CWE-22) vulnerability in Ivanti Avalanche. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A path traversal vulnerability tracked as CVE-2023-28127 affects Ivanti Avalanche versions 6.3.x and earlier. The flaw, assigned CWE-22, permits unauthorized access to files outside intended directories and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required credentials or user interaction, resulting in high confidentiality impact with no integrity or availability effects.

Unauthenticated remote attackers can send specially crafted requests to the getLogFile endpoint to traverse directories and retrieve sensitive files, achieving information disclosure without any prior authentication or user assistance.

The referenced Ivanti support article ZDI-CAN-17769 describes the directory traversal behavior in Avalanche but supplies no explicit mitigation steps within the provided source material.

EPSS for the CVE rose from a low baseline to a peak of 0.3114 on 2026-02-03 before receding to the current value of 0.0599, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in Avalanche version 6.3.x and below that when exploited could result in possible information disclosure.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
avalanche
≤ 6.3.4.153

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References