An unrestricted file upload vulnerability in web component of Ivanti Avalanche prior to 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.