CVE-2023-38036

Critical

Published: 12 July 2025

Published

12 July 2025

Modified

17 July 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0281 86.2th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38036 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Ivanti Avalanche. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of known flaws like this buffer overflow vulnerability through vendor patching to version 6.4.1 or later.

SI-10 Information Input Validation good match

prevent

Mandates validation of all information inputs to prevent buffer overflows triggered by crafted unauthenticated network requests.

SI-16 Memory Protection good match

prevent

Implements memory protections such as non-executable memory and address space randomization to block arbitrary code execution from buffer overflow exploits.

NVD Description

A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.

Deeper analysisAI

CVE-2023-38036 is a buffer overflow vulnerability (CWE-120) in Ivanti Avalanche Manager versions prior to 6.4.1. The flaw arises from inadequate input validation, allowing an unauthenticated attacker to trigger the overflow via crafted network requests to the affected service.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could lead to service disruption through denial of service or arbitrary code execution, potentially compromising confidentiality, integrity, and availability of the targeted system.

Ivanti's security advisory at https://forums.ivanti.com/s/article/Security-Advisory-Avalanche-CVE-2023-38036 details mitigation steps, including upgrading to Ivanti Avalanche Manager version 6.4.1 or later, where the vulnerability is addressed. Security practitioners should apply patches promptly and review network exposure of Avalanche Manager instances.

Details

CWE(s): CWE-120

Affected Products

ivanti

avalanche

≤ 6.4.1

CVEs Like This One

CVE-2024-13181Same product: Ivanti Avalanche

CVE-2024-13179Same product: Ivanti Avalanche

CVE-2024-13180Same product: Ivanti Avalanche

CVE-2026-5786Same vendor: Ivanti

CVE-2025-13659Same vendor: Ivanti

CVE-2025-22467Same vendor: Ivanti

CVE-2025-0283Same vendor: Ivanti

CVE-2025-55145Same vendor: Ivanti

CVE-2025-9713Same vendor: Ivanti

CVE-2024-13171Same vendor: Ivanti

References

https://forums.ivanti.com/s/article/Security-Advisory-Avalanche-CVE-2023-38036
Vendor Advisory · support@hackerone.com