CVE-2024-37397
published 2024-09-12CVE-2024-37397: An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote…
PriorityP271high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
59.26%
99.0th percentile
An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager | < 2022 | 2022 |
| ivanti | endpoint_manager | — | — |
| ivanti | epm | >= 2022 SU6 < 2022 SU6 | 2022 SU6 |
| ivanti | epm | >= 2024 September Security Update < 2024 September Security Update | 2024 September Security Update |
| ivanti | neurons_for_itsm_external_entity | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/LANDesk/ManagementSuite/Core/ProvisioningWebService/WebService.asmx
bytes
|3c| SetActionStatus
bytes
|3c|actionXml|3e 3c 21 5b|CDATA|5b|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Unauthorized XML External Entity (CVE-2024-37397)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/LANDesk/ManagementSuite/Core/ProvisioningWebService/WebService.asmx"; fast_pattern; http.request_body; content:"|3c|SetActionStatus"; content:"|3c|actionXml|3e 3c 21 5b|CDATA|5b|"; reference:url,github.com/pwnfuzz/POCs/tree/main/CVE%202024-37397; reference:cve,2024-37397; classtype:web-application-attack; sid:2059873; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_03, cve CVE_2024_37397, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic targets the provisioning web service endpoint via unauthenticated HTTP POST requests; monitor for POST requests to the specific ASMX path.
- →XXE payload is injected inside a CDATA block within the <actionXml> element of a SetActionStatus SOAP call; look for CDATA-wrapped content in the request body alongside the SetActionStatus tag.
- →The vulnerability is exploitable by remote unauthenticated attackers, so no session/auth token is required in the triggering request; absence of authentication headers is expected in attack traffic. ↗
- →Detection rule requires TLS decryption (SSLDecrypt/TLSDecrypt) to inspect the request body; ensure SSL inspection is enabled on perimeter and internal sensors.
- ·Affected versions are Ivanti EPM before 2022 SU6 and before the 2024 September update; patched instances should still be monitored as the endpoint remains exposed. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r268-64hq-mv45: An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote
ghsa_unreviewed·2024-09-12
CVE-2024-37397 [HIGH] CWE-200 GHSA-r268-64hq-mv45: An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote
An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.
Ivanti
Ivanti Neurons for ITSM External Entity Injection
vendor_ivanti·CVSS 8.2
CVE-2024-37397 [HIGH] Ivanti Neurons for ITSM External Entity Injection
Ivanti Neurons for ITSM External Entity Injection
CVE IDs: CVE-2024-37397
Affected products: Neurons
Suricata
ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Unauthorized XML External Entity (CVE-2024-37397)
suricata·2025-02-03·CVSS 8.2
CVE-2024-37397 [HIGH] ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Unauthorized XML External Entity (CVE-2024-37397)
ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Unauthorized XML External Entity (CVE-2024-37397)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Unauthorized XML External Entity (CVE-2024-37397)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/LANDesk/ManagementSuite/Core/ProvisioningWebService/WebService.asmx"; fast_pattern; http.request_body; content:"|3c|SetActionStatus"; content:"|3c|actionXml|3e 3c 21 5b|CDATA|5b|"; reference:url,github.com/pwnfuzz/POCs/tree/main/CVE%202024-37397; reference:cve,2024-37397; classtype:web-application-attack; sid:2059873; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_03, cve CVE_2024_37397, deployment Perimeter, de
No public exploits indexed.
No writeups or analysis indexed.
2024-09-12
Published