CVE-2024-22024
published 2024-02-13CVE-2024-22024: An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which…
PriorityP189high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
94.72%
99.8th percentile
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivant | ics | >= 9.1R15.3 < 9.1R15.3 | 9.1R15.3 |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure | — | — |
| ivanti | connect_secure_xxe | — | — |
| ivanti | ics | >= 22.1R6.1 < 22.1R6.1 | 22.1R6.1 |
| ivanti | ics | >= 22.2R4.1 < 22.2R4.1 | 22.2R4.1 |
| ivanti | ics | >= 22.3R1.1 < 22.3R1.1 | 22.3R1.1 |
| ivanti | ics | >= 22.4R1.1 < 22.4R1.1 | 22.4R1.1 |
| ivanti | ics | >= 22.4R2.3 < 22.4R2.3 | 22.4R2.3 |
| ivanti | ics | >= 22.5R1.2 < 22.5R1.2 | 22.5R1.2 |
| ivanti | ics | >= 22.5R2.3 < 22.5R2.3 | 22.5R2.3 |
| ivanti | ics | >= 22.6R1.1 < 22.6R1.1 | 22.6R1.1 |
| ivanti | ics | >= 22.6R2.2 < 22.6R2.2 | 22.6R2.2 |
| ivanti | ics | >= 9.1R14.5 < 9.1R14.5 | 9.1R14.5 |
| ivanti | ics | >= 9.1R17.3 < 9.1R17.3 | 9.1R17.3 |
| ivanti | ics | >= 9.1R18.4 < 9.1R18.4 | 9.1R18.4 |
| ivanti | ips | >= 22.5R1.2 < 22.5R1.2 | 22.5R1.2 |
| ivanti | ips | >= 9.1R17.3 < 9.1R17.3 | 9.1R17.3 |
| ivanti | ips | >= 9.1R18.4 < 9.1R18.4 | 9.1R18.4 |
| ivanti | policy_secure | — | — |
| ivanti | zero_trust_access_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP POST requests to SAML endpoints from unknown or suspicious IP addresses ↗
- →Search for DOCTYPE, ENTITY, or SYSTEM tags within the decoded SAMLRequest parameter in full request logs ↗
- →Monitor for frequent 'SAML processing failed' errors or crashes of the saml-server process (Event ID ERR31903) as indicators of failed exploitation attempts ↗
- →Scanning activity targeting CVE-2024-22024 peaked at 240,000 requests from 80 IPs on February 11, 2024; monitor for high-volume POST requests to SAML endpoints ↗
- →Ivanti ICT (Integrity Checker Tool) may fail to detect compromise; do not rely solely on ICT for post-exploitation detection — look for web shells with no file mismatches, time-stomped files, and re-mounted runtime partitions ↗
- →Monitor for unexpected process spawning or webshells as common post-exploitation follow-up actions after an authentication bypass via CVE-2024-22024 ↗
- →Attackers cover tracks by overwriting files, time-stomping files, and re-mounting the runtime partition; hunt for these artifacts on potentially compromised Ivanti appliances ↗
- ·CVE-2024-22024 bypassed the initial XML mitigations released by Ivanti in late January 2024; earlier mitigations are insufficient and the specific February 8, 2024 patch (or later) is required ↗
- ·Ivanti's internal and previous external ICT is not sufficient to detect compromise; a threat actor may gain root-level persistence despite factory resets ↗
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
nvdv3.08.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
vulncheck8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Connect Secure XXE Vulnerability
vendor_ivanti·CVSS 8.3
CVE-2024-22024 [HIGH] Ivanti Connect Secure XXE Vulnerability
Ivanti Connect Secure XXE Vulnerability
CVE IDs: CVE-2024-22024
Affected products: Connect Secure, Policy Secure
GHSA
GHSA-cmg9-p9gp-g7mr: An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9
ghsa_unreviewed·2024-02-13
CVE-2024-22024 [HIGH] CWE-611 GHSA-cmg9-p9gp-g7mr: An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
VulnCheck
Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
vulncheck·2024·CVSS 8.3
CVE-2024-22024 [HIGH] Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
Ivanti Connect Secure and Policy Secure Improper Restriction of XML External Entity Reference
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
Affected: Ivanti Connect Secure and Policy Secure
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wiz.io/blog/ivanti-vulnerabilities-cve-2023-46805-cve-2024-21887-cve-2024-21888-and-cve-2024-21893; https://attackerkb.com/assessments/e3572615-0a93-4e5b-a181-432316d5c6d3; https://twitter.com/collysucker/status/17559
Suricata
ET WEB_SPECIFIC_APPS Ivanti Connect Secure XXE Attempt (CVE-2024-22024)
suricata·2024-02-09·CVSS 8.3
CVE-2024-22024 [HIGH] ET WEB_SPECIFIC_APPS Ivanti Connect Secure XXE Attempt (CVE-2024-22024)
ET WEB_SPECIFIC_APPS Ivanti Connect Secure XXE Attempt (CVE-2024-22024)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure XXE Attempt (CVE-2024-22024)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-na/auth/saml-sso.cgi"; fast_pattern; http.request_body; content:"SAMLRequest="; startswith; base64_decode:bytes 64, offset 0, relative; base64_data; content:"|3c 3f|xml version|3d 22|1.0|22 20 3f 3e 3c|!DOCTYPE|20|root|20 5b 3c|!ENTITY"; reference:cve,2024-22024; reference:url,labs.watchtowr.com/are-we-now-part-of-ivanti/; classtype:web-application-attack; sid:2050784; rev:1; metadata:affected_product Ivanti, attack_target Networking_Equipment, created_at 2024_02_09, cve CVE_2024_22024, deployment Perimeter,
Nuclei
Ivanti Connect Secure - XXE
nuclei·CVSS 8.3
CVE-2024-22024 [HIGH] Ivanti Connect Secure - XXE
Ivanti Connect Secure - XXE
Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
Template:
id: CVE-2024-22024
info:
name: Ivanti Connect Secure - XXE
author: watchTowr
severity: high
description: |
Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution.
remediation: |
Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability.
reference:
- https://labs.watchtowr.com/are-we-now-part-of-ivanti/
- https://twitter.com/h4x0r_dz/status/1755849867149103106/photo/1
classification:
epss-score: 0.94249
epss-percentile: 0.99931
metadata:
max-request: 1
vendor: ivanti
product: connec
Bleepingcomputer
Ivanti warns of critical vTM auth bypass with public exploit
blogs_bleepingcomputer·2024-08-13·CVSS 9.8
CVE-2024-7593 [CRITICAL] Ivanti warns of critical vTM auth bypass with public exploit
## Ivanti warns of critical vTM auth bypass with public exploit
## Sergiu Gatlan
Today, Ivanti urged customers to patch a critical authentication bypass vulnerability impacting Virtual Traffic Manager (vTM) appliances that can let attackers create rogue administrator accounts.
Ivanti vTM is a software-based application delivery controller (ADC) that provides app-centric traffic management and load balancing for hosting business-critical services.
Tracked as CVE-2024-7593, this auth bypass vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels.
"Ivanti released updates for Ivanti Virtual Traffic Manager (vTM) which addressed a critical vulnerability. S
Bleepingcomputer
New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
blogs_bleepingcomputer·2024-04-05·CVSS 8.2
CVE-2024-21894 [HIGH] New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
## New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
## Bill Toulas
Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution (RCE) flaw the vendor addressed earlier this week.
The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x, potentially allowing unauthenticated users to cause denial of service (DoS) or achieve RCE by sending specially crafted requests.
Upon disclosure, on April 3, 2024, the internet search engine Shodan showed 29,000 internet-exposed instances, while threat monitoring service Shadowserver reported seeing roughly 18,000.
At the time, Ivanti stated that it had seen no signs of active exploita
Bleepingcomputer
Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
blogs_bleepingcomputer·2024-04-03·CVSS 8.2
CVE-2024-21894 [HIGH] Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
## Sergiu Gatlan
Update 4/5/25: ShadowServer says there are 16,000 exposed devices likely vulnerable to this flaw .
IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways.
Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction.
The vulnerability is caused by a heap overflow weakness in the IPSec component of all supported gateway versions.
While Ivanti said the remote code execution risks are limited to "certain conditions," t
Bleepingcomputer
Ivanti fixes critical Standalone Sentry bug reported by NATO
blogs_bleepingcomputer·2024-03-20·CVSS 8.8
CVE-2023-41724 [HIGH] Ivanti fixes critical Standalone Sentry bug reported by NATO
## Ivanti fixes critical Standalone Sentry bug reported by NATO
## Sergiu Gatlan
Ivanti warned customers to immediately patch a critical severity Standalone Sentry vulnerability reported by NATO Cyber Security Centre researchers.
Standalone Sentry is deployed as an organization's Kerberos Key Distribution Center Proxy (KKDCP) server or as a gatekeeper for ActiveSync-enabled Exchange and Sharepoint servers.
Tracked as CVE-2023-41724 , the security flaw impacts all supported versions and it allows unauthenticated bad actors within the same physical or logical network to execute arbitrary commands in low-complexity attacks.
Ivanti also fixed a second critical vulnerability ( CVE-2023-46808 ) in its Neurons for ITSM IT service management solution that enables remote threat actors with acc
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Bleepingcomputer
CISA cautions against using hacked Ivanti VPN gateways even after factory resets
blogs_bleepingcomputer·2024-02-29·CVSS 8.2
[HIGH] CISA cautions against using hacked Ivanti VPN gateways even after factory resets
## CISA cautions against using hacked Ivanti VPN gateways even after factory resets
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT) on Ivanti Connect Secure and Policy Secure gateways compromised using CVE-2023-46805 , CVE-2024-21887 , CVE-2024-22024 , and CVE-2024-21893 exploits.
The four vulnerabilities' severity ratings range from high to critical, and they can be exploited for authentication bypass, command injection, server-side-request forgery, and
Bleepingcomputer
Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
blogs_bleepingcomputer·2024-02-15·CVSS 8.2
CVE-2024-22024 [HIGH] Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
## Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
## Bill Toulas
Thousands of Ivanti Connect Secure and Policy Secure endpoints remain vulnerable to multiple security issues first disclosed more than a month ago and which the vendor gradually patched.
The flaws are CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888. Their severity ranges from high to critical and they concern authentication bypass, server-side-request forgery, arbitrary command execution, and command injection problems.
Some of these vulnerabilities have been reported as exploited by nation-state actors before they were being leveraged at a larger scale by a broad range of threat actors.
Starting with CVE-2024-22024, the issue is an XXE vulnerability in the SAML compo
Checkpoint
12th February – Threat Intelligence Report
blogs_checkpoint·2024-02-12
CVE-2022-42475 12th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
One of the largest unions in California, Service Employees International Union (SEIU) Local 1000, has confirmed a ransomware attack that led to network disruption. The LockBit ransomware gang has assumed responsibility, claiming to have stolen 308GB of data including sensitive employee information such as Social Securit
Bleepingcomputer
Ivanti: Patch new Connect Secure auth bypass bug immediately
blogs_bleepingcomputer·2024-02-08·CVSS 8.2
CVE-2024-22024 [HIGH] Ivanti: Patch new Connect Secure auth bypass bug immediately
## Ivanti: Patch new Connect Secure auth bypass bug immediately
## Sergiu Gatlan
Today, Ivanti warned of a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways, urging admins to secure their appliances immediately.
The flaw (CVE-2024-22024) is due to an XXE (XML eXternal Entities) weakness in the gateways' SAML component that lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without requiring user interaction or authentication.
"We have no evidence of any customers being exploited by CVE-2024-22024. However, it is critical that you immediately take action to ensure you are fully protected," Ivanti said .
"For users of other supported versions, the mitigation released on 31 January su
Wiz
Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
blogs_wiz·2024-02-06·CVSS 8.2
CVE-2023-46805 [HIGH] Critical Vulnerabilities in Ivanti Exploited In-The-Wild | Wiz Blog
February 9, 2024 update
On February 8, 2024, Ivanti released an advisory for a new authentication bypass high severity vulnerability, CVE-2024-22024 impacting Ivanti Connect Secure (`9.x, 22.x`), Ivanti Policy Secure (`9.x, 22.x`) and ZTA gateways. The flaw in the SAML component of the mentioned products allows an attacker to access certain restricted resources without authentication. On February 9, 2024, the vulnerability has been reported to be exploited in-the-wild.
Customers are advised to patch urgently to the fixed versions: Connect Secure versions `9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3,22.6R2.2`), Ivanti Policy Secure versions `9.1R17.3, 9.1R18.4, 22.5R1.2` and ZTA gateways versions` 22.5R1.6, 22.6R1.5, 22.6R1.7`.
Wiz customers can use the pre-built query and
Tenable
CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
blogs_tenable·2024-01-31·CVSS 8.2
[HIGH] CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.2
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42
Published: January 16, 2024
High Profile Threats
Vulnerabilities
CVE-2023-46805
CVE-2024-21887
CVE-2024-21888
CVE-2024-21893
CVE-2024-22024
Ivanti
VPNs
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integr
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.3
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tools (ICT) which results in a failure to detect a compromise. They also state that cyber threat actors may be able to maintain root-level persistence despite issuing factory resets.
This CSA also includes guidance on incident response steps. They recommend defenders reset all credentials tha
Huntress
CVE-2024-22024 (Ivanti XXE) Vulnerability: Analysis & Detection | Huntress
blogs_huntress·CVSS 8.2
CVE-2024-22024 [HIGH] CVE-2024-22024 (Ivanti XXE) Vulnerability: Analysis & Detection | Huntress
CVE-2024-22024 Vulnerability
CVEs are Common Vulnerabilities and Exposures - unique identifiers assigned to publicly known cybersecurity vulnerabilities.
Published: 01/20/2026
Written by: Nadine Rozell
## What is CVE-2024-22024 vulnerability?
CVE-2024-22024 is an XXE (XML External Entity) flaw in the SAML (Security Assertion Markup Language) authentication component of Ivanti gateways.
The vulnerability exists because the application processes XML input from user-supplied requests without properly disabling external entity references. Attackers can exploit this by embedding a malicious XML reference (an "entity") in a SAML request. When the server processes this request, it automatically expands the entity, which can allow the attacker to read arbitrary files on the system or trick t
Greynoiseio
NoiseLetter February 2024
blogs_greynoiseio
NoiseLetter February 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-02-13
Published
Exploited in the wild