CVE-2024-38653
published 2024-08-14CVE-2024-38653: XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
91.98%
99.8th percentile
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | — | — |
| ivanti | avalanche | >= 6.4.4 < 6.4.4 | 6.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
|3c 3f|xml
bytes↗
|3c 21|ENTITY|20 25|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Avalanche SmartDeviceServer XML External Entity Injection (CVE-2024-38653)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/mdm/checkin"; fast_pattern; http.request_body; content:"|3c 3f|xml"; startswith; content:"|3c 21|ENTITY|20 25|"; distance:0; reference:url,github.com/pwnfuzz/POCs/tree/main/CVE%202024-38653; reference:cve,2024-38653; classtype:web-application-attack; sid:2059880; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_04, cve CVE_2024_38653, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_02_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic is a PUT request to /mdm/checkin with Content-Type: application/xml, containing an XML body that starts with an XML declaration followed by a DOCTYPE with an ENTITY % declaration — characteristic of a blind/OOB XXE payload.
- →The exploit triggers an outbound HTTP callback from the server; detection via interactsh/OOB channel shows the callback User-Agent is 'Java', indicating the server-side XML parser is Java-based (e.g., Java's built-in SAX/DOM parser).
- →The Snort/ET rule keys on: HTTP PUT method + URI /mdm/checkin + request body starting with XML declaration bytes (3c 3f = '<?') followed by ENTITY % bytes (3c 21 = '<!', 20 25 = ' %') — all three conditions must match to fire.
- →The vulnerability is unauthenticated — no session cookie or Authorization header is required. Any PUT to /mdm/checkin with a malicious XML body should be treated as a potential exploit attempt.
- ·The ET Snort rule (sid:2059880) requires TLS decryption to be effective against HTTPS traffic, as noted in the metadata. ↗
- ·The Nuclei template uses an interactsh OOB callback to confirm exploitation; the matcher checks for an inbound HTTP request with User-Agent containing 'Java'. Environments without OOB/interactsh infrastructure will not be able to confirm exploitation using this template as-is.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2024-38653
vendor_ivanti·2024-08-14·CVSS 7.5
CVE-2024-38653 [HIGH] CWE-611 Ivanti Security Advisory: CVE-2024-38653
Ivanti Security Advisory: CVE-2024-38653
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
CVE IDs: CVE-2024-38653
CVSS Base Score: 7.5
Severity: HIGH
CWEs: CWE-611
GHSA
GHSA-6jjx-98r4-vcm4: XXE in SmartDeviceServer in Ivanti Avalanche 6
ghsa_unreviewed·2024-08-14
CVE-2024-38653 [HIGH] CWE-611 GHSA-6jjx-98r4-vcm4: XXE in SmartDeviceServer in Ivanti Avalanche 6
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
VulnCheck
Ivanti avalanche Improper Restriction of XML External Entity Reference
vulncheck·2024·CVSS 7.5
CVE-2024-38653 [HIGH] Ivanti avalanche Improper Restriction of XML External Entity Reference
Ivanti avalanche Improper Restriction of XML External Entity Reference
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
Affected: Ivanti avalanche
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-12&host_type=src&vulnerability=cve-2024-38653; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-13&host_type=src&vulnerability=cve-2024-38653; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-15&host_type=src&vulnerability=cve
Suricata
ET WEB_SPECIFIC_APPS Ivanti Avalanche SmartDeviceServer XML External Entity Injection (CVE-2024-38653)
suricata·2025-02-04·CVSS 7.5
CVE-2024-38653 [HIGH] ET WEB_SPECIFIC_APPS Ivanti Avalanche SmartDeviceServer XML External Entity Injection (CVE-2024-38653)
ET WEB_SPECIFIC_APPS Ivanti Avalanche SmartDeviceServer XML External Entity Injection (CVE-2024-38653)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Avalanche SmartDeviceServer XML External Entity Injection (CVE-2024-38653)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/mdm/checkin"; fast_pattern; http.request_body; content:"|3c 3f|xml"; startswith; content:"|3c 21|ENTITY|20 25|"; distance:0; reference:url,github.com/pwnfuzz/POCs/tree/main/CVE%202024-38653; reference:cve,2024-38653; classtype:web-application-attack; sid:2059880; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_04, cve CVE_2024_38653, deployment Perimeter, deployment Internal, deployment SSLDecrypt,
Nuclei
Ivanti Avalanche SmartDeviceServer - XML External Entity
nuclei·CVSS 7.5
CVE-2024-38653 [HIGH] Ivanti Avalanche SmartDeviceServer - XML External Entity
Ivanti Avalanche SmartDeviceServer - XML External Entity
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
Template:
id: CVE-2024-38653
info:
name: Ivanti Avalanche SmartDeviceServer - XML External Entity
author: DhiyaneshDK
severity: high
description: |
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.
impact: |
Unauthenticated attackers can read arbitrary files from the Ivanti Avalanche server, potentially exposing configuration files, credentials, and sensitive data managed by the device management system.
remediation: |
Upgrade to Ivanti Avalanche version 6.4.0 or later that addresses this XXE vulnerability.
reference:
- h
2024-08-14
Published
Exploited in the wild