cbcvebase.
CVE-2023-28128
published 2023-05-09

CVE-2023-28128: An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove…

PriorityP271high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
84.70%
99.7th percentile
An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.3.x and below that could allow an attacker to achieve a remove code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiavalanche<= 6.3.4.153
ivantiavalanche

Detection & IOCsextracted from sources · hover to see the quote

url/AvalancheWeb/FileStoreConfig
filename*.jsp
  • Monitor for changes to the Central FileStore configuration path in Ivanti Avalanche, specifically attempts to set the path to a web-accessible directory using MS-DOS style short names (e.g., 8.3 format paths).
  • Alert on JSP file uploads to the Ivanti Avalanche web root directory, which may indicate exploitation of the unrestricted file upload vulnerability.
  • Detect HTTP POST requests to the FileStoreConfig endpoint that include path traversal or short-name (8.3) style directory components pointing to the web root.
  • Monitor for web shell execution (e.g., JSP process spawning cmd.exe or powershell.exe) running under NT AUTHORITY\SYSTEM in the context of the Ivanti Avalanche web server.
  • ·The vulnerability affects Avalanche versions 6.3.x and below; the Metasploit module targets versions prior to v6.4.0.186. Ensure the patched version (6.4.0.186+) is confirmed before assuming remediation.
  • ·Exploitation requires administrator-level access to the Avalanche management interface to change the FileStore path — detections should account for authenticated abuse scenarios, not just unauthenticated access.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.