cbcvebase.
CVE-2024-22024
published 2024-02-13

CVE-2024-22024: An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which…

PriorityP189high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
94.72%
99.8th percentile
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Affected

22 ranges
VendorProductVersion rangeFixed in
ivantics>= 9.1R15.3 < 9.1R15.39.1R15.3
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure
ivanticonnect_secure_xxe
ivantiics>= 22.1R6.1 < 22.1R6.122.1R6.1
ivantiics>= 22.2R4.1 < 22.2R4.122.2R4.1
ivantiics>= 22.3R1.1 < 22.3R1.122.3R1.1
ivantiics>= 22.4R1.1 < 22.4R1.122.4R1.1
ivantiics>= 22.4R2.3 < 22.4R2.322.4R2.3
ivantiics>= 22.5R1.2 < 22.5R1.222.5R1.2
ivantiics>= 22.5R2.3 < 22.5R2.322.5R2.3
ivantiics>= 22.6R1.1 < 22.6R1.122.6R1.1
ivantiics>= 22.6R2.2 < 22.6R2.222.6R2.2
ivantiics>= 9.1R14.5 < 9.1R14.59.1R14.5
ivantiics>= 9.1R17.3 < 9.1R17.39.1R17.3
ivantiics>= 9.1R18.4 < 9.1R18.49.1R18.4
ivantiips>= 22.5R1.2 < 22.5R1.222.5R1.2
ivantiips>= 9.1R17.3 < 9.1R17.39.1R17.3
ivantiips>= 9.1R18.4 < 9.1R18.49.1R18.4
ivantipolicy_secure
ivantizero_trust_access_gateway

Detection & IOCsextracted from sources · hover to see the quote

path/dana-na/auth/saml-sso.cgi
path/dana-ws/saml.ws
path/dana-na/
  • Look for HTTP POST requests to SAML endpoints from unknown or suspicious IP addresses
  • Search for DOCTYPE, ENTITY, or SYSTEM tags within the decoded SAMLRequest parameter in full request logs
  • Monitor for frequent 'SAML processing failed' errors or crashes of the saml-server process (Event ID ERR31903) as indicators of failed exploitation attempts
  • Scanning activity targeting CVE-2024-22024 peaked at 240,000 requests from 80 IPs on February 11, 2024; monitor for high-volume POST requests to SAML endpoints
  • Ivanti ICT (Integrity Checker Tool) may fail to detect compromise; do not rely solely on ICT for post-exploitation detection — look for web shells with no file mismatches, time-stomped files, and re-mounted runtime partitions
  • Monitor for unexpected process spawning or webshells as common post-exploitation follow-up actions after an authentication bypass via CVE-2024-22024
  • Attackers cover tracks by overwriting files, time-stomping files, and re-mounting the runtime partition; hunt for these artifacts on potentially compromised Ivanti appliances
  • ·CVE-2024-22024 bypassed the initial XML mitigations released by Ivanti in late January 2024; earlier mitigations are insufficient and the specific February 8, 2024 patch (or later) is required
  • ·Ivanti's internal and previous external ICT is not sufficient to detect compromise; a threat actor may gain root-level persistence despite factory resets

CVSS provenance

nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
vulncheck8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.