CVE-2024-22024 Overview
CVE-2024-22024 is an XML External Entity (XXE) vulnerability affecting the SAML component of Ivanti Connect Secure (versions 9.x and 22.x), Ivanti Policy Secure (versions 9.x and 22.x), and Zero Trust Access (ZTA) gateways. This vulnerability allows unauthenticated attackers to access certain restricted resources by exploiting improper XML parsing in the SAML authentication component.
The vulnerability poses a significant risk to enterprise environments as these products are widely deployed as VPN and secure access solutions, often serving as the primary gateway for remote workforce connectivity. Successful exploitation could enable attackers to bypass authentication controls and access sensitive internal resources.
Critical Impact
Unauthenticated attackers can exploit this XXE vulnerability to access restricted resources without authentication, potentially compromising the security perimeter of affected organizations.
Affected Products
- Ivanti Connect Secure (versions 9.x and 22.x including 9.1:r14.4, 9.1:r17.2, 9.1:r18.3, 22.4:r2.2, 22.5:r1.1, 22.5:r2.2)
- Ivanti Policy Secure (versions 9.x and 22.x including 22.5:r1.1)
- Ivanti Zero Trust Access Gateway (version 22.6:r1.3)
Discovery Timeline
- February 13, 2024 - CVE-2024-22024 published to NVD
- October 31, 2025 - Last updated in NVD database
Technical Details for CVE-2024-22024
Vulnerability Analysis
This vulnerability resides in the SAML (Security Assertion Markup Language) component used for federated authentication in Ivanti's secure access products. The SAML parser fails to properly restrict XML external entity references, creating an XXE vulnerability that can be exploited without authentication.
XXE vulnerabilities occur when XML parsers process external entity references embedded within XML documents. In the context of SAML authentication, attackers can craft malicious SAML responses or requests containing external entity declarations that, when processed by the vulnerable parser, cause the server to perform unintended actions such as accessing local files, making outbound network requests, or disclosing sensitive information.
The network-accessible nature of this vulnerability combined with no authentication requirement makes it particularly dangerous. An attacker positioned anywhere on the network can send crafted SAML messages to the vulnerable endpoint and potentially access restricted resources or extract sensitive data from the target system.
Root Cause
The root cause is improper restriction of XML External Entity references (CWE-611) in the SAML component's XML parser. The parser does not adequately disable or restrict the processing of external entities and DTD (Document Type Definition) declarations. When SAML messages are processed, the parser resolves external entity references, allowing attackers to inject malicious entity declarations that reference external or internal resources.
Attack Vector
The attack vector is network-based, requiring no user interaction or authentication. An attacker can exploit this vulnerability by sending specially crafted SAML messages to the SAML authentication endpoint of the vulnerable Ivanti products.
The attack flow typically involves:
- Identifying an exposed Ivanti Connect Secure, Policy Secure, or ZTA gateway with SAML authentication enabled
- Crafting a malicious SAML message containing XXE payloads with external entity declarations
- Sending the crafted message to the SAML authentication endpoint
- The vulnerable XML parser processes the malicious entities, potentially allowing access to restricted resources or data exfiltration
The vulnerability can be exploited to read local files, perform server-side request forgery (SSRF) attacks, or enumerate internal network resources depending on the parser configuration and system environment.
Detection Methods for CVE-2024-22024
Indicators of Compromise
- Unusual SAML authentication requests containing suspicious XML entity declarations or DOCTYPE definitions
- Unexpected outbound network connections from Ivanti appliances to external or internal resources
- Access log entries showing SAML endpoint requests with abnormally large payloads or encoded content
- File access attempts on sensitive system files from the SAML processing component
Detection Strategies
- Monitor SAML authentication endpoints for requests containing XML DOCTYPE declarations or ENTITY definitions
- Implement network-level detection for outbound connections from Ivanti appliances that deviate from established baselines
- Deploy web application firewall (WAF) rules to detect and block XXE payloads in SAML messages
- Analyze authentication logs for failed or anomalous SAML assertion processing events
Monitoring Recommendations
- Enable verbose logging on Ivanti Connect Secure, Policy Secure, and ZTA gateways to capture detailed SAML transaction data
- Implement real-time alerting for any SAML requests containing external entity references or DTD declarations
- Monitor system resource access patterns for unauthorized file read attempts
- Establish baseline network behavior for Ivanti appliances and alert on deviations
How to Mitigate CVE-2024-22024
Immediate Actions Required
- Apply the latest security patches from Ivanti immediately to all affected Connect Secure, Policy Secure, and ZTA gateway deployments
- Review SAML authentication configurations and temporarily disable SAML if not business-critical while patching
- Implement network segmentation to limit the exposure of Ivanti appliances to untrusted networks
- Conduct a security assessment to determine if exploitation may have occurred prior to patching
Patch Information
Ivanti has released security patches addressing this vulnerability. Organizations should consult the Ivanti Security Advisory for CVE-2024-22024 for specific patch versions and upgrade instructions for their deployed product versions.
Affected versions requiring updates include:
- Ivanti Connect Secure: 9.1:r14.4, 9.1:r17.2, 9.1:r18.3, 22.4:r2.2, 22.5:r1.1, 22.5:r2.2
- Ivanti Policy Secure: 22.5:r1.1
- Ivanti Zero Trust Access Gateway: 22.6:r1.3
Workarounds
- Deploy a web application firewall (WAF) in front of Ivanti appliances configured to block requests containing XXE payloads
- Restrict network access to SAML authentication endpoints to known identity provider IP ranges only
- If SAML authentication is not required, consider disabling SAML functionality until patches can be applied
- Implement strict input validation at the network perimeter for all traffic destined to Ivanti appliances
# Example WAF rule to block XXE patterns in SAML requests
# Consult your WAF vendor documentation for specific syntax
# Block requests containing DOCTYPE or ENTITY declarations
SecRule REQUEST_BODY "<!DOCTYPE" "id:1001,phase:2,deny,status:403,msg:'Potential XXE Attack'"
SecRule REQUEST_BODY "<!ENTITY" "id:1002,phase:2,deny,status:403,msg:'Potential XXE Attack'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
