cbcvebase.
CVE-2022-36980
published 2023-03-29

CVE-2022-36980: This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is…

PriorityP272high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
83.14%
99.6th percentile
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the EnterpriseServer service. The issue results from the lack of proper locking when performing operations during authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15528.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiavalanche
ivantiavalanche>= 6.3.2.3490 < 6.3.46.3.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists within the EnterpriseServer service of Ivanti Avalanche; monitor for unexpected or anomalous authentication activity targeting this service, particularly race-condition patterns (TOCTOU) during the authentication phase.
  • Target environment is Ivanti Avalanche version 6.3.2.3490; ensure version detection rules flag this specific build as vulnerable.
  • ·Authentication bypass is achievable despite authentication being nominally required — do not rely on authentication logs alone as evidence of a blocked attack; a successful exploit may still appear as an authenticated session.
  • ·The root cause is a TOCTOU (Time-of-Check Time-of-Use) race condition (CWE-367); detection logic should account for rapid, concurrent or near-simultaneous authentication requests to the EnterpriseServer service as a potential exploitation indicator.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.4CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.