CVE-2023-36661

HIGH EXPLOITED

Shibboleth XMLTooling <3.2.4 - SSRF

Title source: llm

Exploitation Summary

CVE-2023-36661 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including sfewer-r7, including a Metasploit module exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.

AI-analyzed exploit summary This Metasploit module chains an SSRF vulnerability (CVE-2024-21893/CVE-2023-36661) with a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated remote code execution on Ivanti Connect Secure and Ivanti Policy Secure. It exploits a misconfigured XML signature retrieval mechanism to trigger an internal SSRF, which then executes arbitrary commands via a vulnerable backend service.

Description

Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)

Exploits (1)

metasploit WORKING POC EXCELLENT

by sfewer-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb

View Code ZIP pw:eip

This Metasploit module chains an SSRF vulnerability (CVE-2024-21893/CVE-2023-36661) with a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated remote code execution on Ivanti Connect Secure and Ivanti Policy Secure. It exploits a misconfigured XML signature retrieval mechanism to trigger an internal SSRF, which then executes arbitrary commands via a vulnerable backend service.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x)

No auth needed

Prerequisites: Network access to the target's HTTPS service (port 443) · Vulnerable version of Ivanti Connect Secure or Policy Secure

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 22, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory

https://shibboleth.net/community/advisories/secadv_20230612.txt

Third Party Advisory vendor-advisory

https://www.debian.org/security/2023/dsa-5432

Scores

CVSS v3 7.5

EPSS 0.6067

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2025-08-12

CWE

CWE-918

Status published

Products (3)

debian/debian_linux 11.0

debian/debian_linux 12.0

shibboleth/xmltooling < 3.2.4

Published Jun 25, 2023

Tracked Since Feb 18, 2026