CVE-2024-37397

CVSS 8.2 HIGHEPSS 59.3%CWE-611

In short

The Ivanti EPM provisioning service has a flaw where it processes XML files unsafely, allowing attackers to read sensitive API secrets from the system without needing to log in.

Technical detail

An XXE vulnerability in the provisioning web service allows unauthenticated remote attackers to exfiltrate API secrets through malicious XML payloads that reference external entities. The affected versions are pre-2022 SU6 and earlier than the 2024 September update; exploitation requires only network access to the provisioning endpoint.

Summary generated and translated by AI from the official description.

An External XML Entity (XXE) vulnerability in the provisioning web service of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to leak API secrets.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected products

Ivanti · EPM

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022