cbcvebase.
CVE-2023-46808
published 2024-03-31

CVE-2023-46808: An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation…

PriorityP185critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.00%
78.3th percentile
An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation may lead to execution of commands in the context of non-root user.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivantiitsm2023.3 – 2023.3
ivantineurons_for_itsm< 2023.42023.4

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability class is unrestricted file upload (CWE-434) in Ivanti ITSM before 2023.4 — monitor for unexpected file writes to the server by authenticated users, particularly in web-accessible directories that could enable server-side code execution.
  • Execution context is a non-root user — post-exploitation process activity (e.g., web shells, spawned child processes) from a non-root account on Ivanti ITSM hosts should be treated as a high-fidelity indicator of compromise.
  • ·Exploitation requires prior authentication — detections should account for the attacker already possessing valid credentials; monitor for anomalous authenticated sessions followed by unusual file upload activity.
  • ·Vulnerability is present in Ivanti ITSM versions before 2023.4 — scope detections and patching efforts to all instances not yet upgraded to 2023.4 or later.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv3.09.9CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.