CVE-2024-37397 Overview
An External XML Entity (XXE) vulnerability has been identified in the provisioning web service of Ivanti Endpoint Manager (EPM). This vulnerability exists in EPM versions before 2022 SU6 and the 2024 release prior to the September update. The flaw allows a remote unauthenticated attacker to exploit improper XML parsing to leak sensitive API secrets from affected systems.
XXE vulnerabilities occur when an application parses XML input containing references to external entities. When the XML parser is configured to process these external entity references, attackers can leverage this behavior to access internal files, make server-side requests, or exfiltrate sensitive data. In this case, the provisioning web service fails to properly restrict external entity processing, creating a significant security risk for organizations relying on Ivanti EPM for endpoint management.
Critical Impact
Remote unauthenticated attackers can exploit this XXE vulnerability to leak API secrets, potentially enabling further attacks on the organization's endpoint management infrastructure.
Affected Products
- Ivanti Endpoint Manager 2024 (prior to September 2024 update)
- Ivanti Endpoint Manager 2022 (prior to SU6)
- Ivanti Endpoint Manager 2022 SU1 through SU5
Discovery Timeline
- September 12, 2024 - CVE-2024-37397 published to NVD
- July 10, 2025 - Last updated in NVD database
Technical Details for CVE-2024-37397
Vulnerability Analysis
This vulnerability is classified as CWE-611: Improper Restriction of XML External Entity Reference. The provisioning web service in Ivanti EPM accepts XML input but does not properly disable or restrict the processing of external entity references within the XML parser configuration.
When the XML parser processes a maliciously crafted document containing external entity declarations, it follows the entity reference to retrieve external resources. An attacker can abuse this behavior to read local files on the server, interact with internal services, or exfiltrate sensitive configuration data including API secrets.
The network-accessible nature of this vulnerability is particularly concerning because it requires no authentication. An attacker with network access to the provisioning web service can send specially crafted XML payloads to trigger the vulnerability without needing valid credentials.
Root Cause
The root cause of this vulnerability lies in the improper configuration of the XML parser used by the provisioning web service. The parser does not disable Document Type Definition (DTD) processing or external entity resolution, which are the primary mechanisms that enable XXE attacks. When external entities are allowed, the parser will attempt to retrieve and process content from URIs specified in entity declarations, effectively becoming a proxy for server-side requests controlled by the attacker.
Attack Vector
The attack is performed remotely over the network by sending malicious XML documents to the provisioning web service endpoint. The attacker crafts an XML document containing a DTD with external entity declarations pointing to sensitive files or internal services. When the vulnerable parser processes this document, it resolves the external entities and includes their content in the response or processes them in a way that allows the attacker to extract sensitive information.
A typical XXE attack against this vulnerability would involve sending an XML payload with an entity declaration referencing internal configuration files containing API secrets. The parser would read the file contents and potentially include them in error messages or responses that the attacker can observe. Since no authentication is required, the attacker only needs network access to the affected service to execute this attack.
Detection Methods for CVE-2024-37397
Indicators of Compromise
- Unusual XML requests to the EPM provisioning web service containing DTD declarations or external entity references
- Unexpected file access attempts on the EPM server, particularly targeting configuration files
- Network connections from the EPM server to unexpected internal or external hosts
- Error logs containing XML parsing errors or file access failures related to the provisioning service
Detection Strategies
- Monitor web service logs for XML payloads containing <!DOCTYPE, <!ENTITY, or SYSTEM declarations
- Implement network-level inspection for XML traffic targeting the provisioning service endpoint
- Configure intrusion detection systems with signatures for common XXE attack patterns
- Review EPM server logs for unusual file read operations or outbound connections
Monitoring Recommendations
- Enable detailed logging for the Ivanti EPM provisioning web service
- Set up alerts for any access attempts to sensitive configuration files from the web service context
- Monitor outbound network traffic from the EPM server for data exfiltration indicators
- Establish baseline traffic patterns for the provisioning service to identify anomalous requests
How to Mitigate CVE-2024-37397
Immediate Actions Required
- Apply the Ivanti EPM 2022 SU6 update or the September 2024 update for EPM 2024 immediately
- Restrict network access to the provisioning web service to trusted networks only
- Review logs for any evidence of prior exploitation attempts
- Rotate any API secrets that may have been exposed if exploitation is suspected
Patch Information
Ivanti has released security updates to address this vulnerability. For Ivanti EPM 2022, organizations should upgrade to Service Update 6 (SU6) or later. For Ivanti EPM 2024, the September 2024 update contains the necessary fix. Detailed patch information is available in the Ivanti Security Advisory for EPM September 2024.
Workarounds
- Implement network segmentation to limit access to the provisioning web service from untrusted networks
- Deploy a web application firewall (WAF) with XXE attack detection capabilities in front of the EPM service
- If possible, disable or restrict access to the provisioning web service until patching can be completed
- Monitor for exploitation attempts while working to deploy the official patches
# Example: Restrict access to provisioning service using firewall rules
# Windows Firewall example - restrict to management subnet only
netsh advfirewall firewall add rule name="Restrict EPM Provisioning" dir=in action=block protocol=tcp localport=443 remoteip=0.0.0.0/0
netsh advfirewall firewall add rule name="Allow EPM Provisioning Trusted" dir=in action=allow protocol=tcp localport=443 remoteip=10.0.0.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
