cbcvebase.
CVE-2024-37397
published 2024-09-12

CVE-2024-37397: An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote…

PriorityP271high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
59.26%
99.0th percentile
An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

Affected

5 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager< 20222022
ivantiendpoint_manager
ivantiepm>= 2022 SU6 < 2022 SU62022 SU6
ivantiepm>= 2024 September Security Update < 2024 September Security Update2024 September Security Update
ivantineurons_for_itsm_external_entity

Detection & IOCsextracted from sources · hover to see the quote

url/LANDesk/ManagementSuite/Core/ProvisioningWebService/WebService.asmx
bytes
|3c| SetActionStatus
bytes
|3c|actionXml|3e 3c 21 5b|CDATA|5b|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Unauthorized XML External Entity (CVE-2024-37397)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/LANDesk/ManagementSuite/Core/ProvisioningWebService/WebService.asmx"; fast_pattern; http.request_body; content:"|3c|SetActionStatus"; content:"|3c|actionXml|3e 3c 21 5b|CDATA|5b|"; reference:url,github.com/pwnfuzz/POCs/tree/main/CVE%202024-37397; reference:cve,2024-37397; classtype:web-application-attack; sid:2059873; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_03, cve CVE_2024_37397, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic targets the provisioning web service endpoint via unauthenticated HTTP POST requests; monitor for POST requests to the specific ASMX path.
  • XXE payload is injected inside a CDATA block within the <actionXml> element of a SetActionStatus SOAP call; look for CDATA-wrapped content in the request body alongside the SetActionStatus tag.
  • The vulnerability is exploitable by remote unauthenticated attackers, so no session/auth token is required in the triggering request; absence of authentication headers is expected in attack traffic.
  • Detection rule requires TLS decryption (SSLDecrypt/TLSDecrypt) to inspect the request body; ensure SSL inspection is enabled on perimeter and internal sensors.
  • ·Affected versions are Ivanti EPM before 2022 SU6 and before the 2024 September update; patched instances should still be monitored as the endpoint remains exposed.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.