cbcvebase.
CVE-2023-41727
published 2023-12-19

CVE-2023-41727: An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
36.39%
98.3th percentile
An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiavalanche< 6.4.26.4.2
ivantiwavelink6.4.1 – 6.4.1

Detection & IOCsextracted from sources · hover to see the quote

port1777
processWLAvalancheService.exe
pathC:\Program Files\Wavelink\Avalanche\MobileDeviceServer\WLAvalancheService.exe
  • Monitor for unauthenticated TCP connections to port 1777 targeting WLAvalancheService.exe with oversized MuProperty type 100 payloads; the overflow occurs when a MuProperty type field is set to 100 and the value data exceeds the fixed-size stack buffer.
  • Detect exploit attempts by inspecting TCP/1777 traffic for the MuProperty message structure where the be32 type field equals 100 (0x00000064) and the ValueSize field indicates a large payload exceeding the fixed stack buffer size.
  • A crash or access violation at WLAvalancheService+0x2af11 (EIP=0042af11, instruction 'rep movsd') with stack overwritten by 0x41414141 patterns is a strong indicator of active exploitation of CVE-2023-41727.
  • The exploit message preamble on TCP/1777 begins with a big-endian MsgSize field followed by HdrSize and PayloadSize; anomalously large PayloadSize values in combination with MuProperty type 100/101/102 should be flagged.
  • ·The vulnerability is unauthenticated and exploitable over the network with no prior authentication required (PR:N, UI:N), meaning any host with network access to TCP/1777 can trigger the overflow.
  • ·The affected binary WLAvalancheService.exe in Avalanche v6.4.1 lacks a verifiable checksum per WinDbg output, which may complicate integrity-based detection approaches.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.