Cyber Resilience

CVE-2023-38036

Critical

Published: 12 July 2025

Published
12 July 2025
Modified
17 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0281 86.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38036 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Ivanti Avalanche. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2023-38036 is a buffer overflow vulnerability (CWE-120) in Ivanti Avalanche Manager versions prior to 6.4.1. The flaw arises from inadequate input validation, allowing an unauthenticated attacker to trigger the overflow via crafted network requests to the affected service.

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could lead to service disruption through denial of service or arbitrary code execution, potentially compromising confidentiality, integrity, and availability of the targeted system.

Ivanti's security advisory at https://forums.ivanti.com/s/article/Security-Advisory-Avalanche-CVE-2023-38036 details mitigation steps, including upgrading to Ivanti Avalanche Manager version 6.4.1 or later, where the vulnerability is addressed. Security practitioners should apply patches promptly and review network exposure of Avalanche Manager instances.

EU & UK References

Vulnerability details

A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in network-accessible Ivanti Avalanche Manager service allows unauthenticated remote attackers to achieve arbitrary code execution or DoS via crafted requests, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13179Same product: Ivanti Avalanche
CVE-2024-13181Same product: Ivanti Avalanche
CVE-2024-13180Same product: Ivanti Avalanche
CVE-2026-6973Same vendor: Ivanti
CVE-2025-13659Same vendor: Ivanti
CVE-2024-13162Same vendor: Ivanti
CVE-2025-0282Same vendor: Ivanti
CVE-2026-1281Same vendor: Ivanti
CVE-2026-1340Same vendor: Ivanti
CVE-2026-8111Same vendor: Ivanti

Affected Assets

ivanti
avalanche
≤ 6.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of known flaws like this buffer overflow vulnerability through vendor patching to version 6.4.1 or later.

prevent

Mandates validation of all information inputs to prevent buffer overflows triggered by crafted unauthenticated network requests.

prevent

Implements memory protections such as non-executable memory and address space randomization to block arbitrary code execution from buffer overflow exploits.

References