CVE-2024-22024

HIGH EXPLOITED NUCLEI

Ivanti Connect Secure - XXE

Title source: nuclei

Exploitation Summary

CVE-2024-22024 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including 0dteam, cybersecplayground. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2024-22024, an XXE vulnerability in Ivanti Connect Secure. The script sends a crafted SAML request with an XXE payload to trigger an out-of-band interaction with an attacker-controlled URL.

Description

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.

Exploits (2)

nomisec WORKING POC 30 stars

by 0dteam · remote

https://github.com/0dteam/CVE-2024-22024

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2024-22024, an XXE vulnerability in Ivanti Connect Secure. The script sends a crafted SAML request with an XXE payload to trigger an out-of-band interaction with an attacker-controlled URL.

Classification

Working Poc 95%

Attack Type

Xxe

Complexity

Trivial

Reliability

Reliable

Target: Ivanti Connect Secure and Ivanti Policy Secure

No auth needed

Prerequisites: Target URL or list of URLs · Attacker-controlled URL for out-of-band interaction

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WRITEUP 7 stars

by cybersecplayground · poc

https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2024/CVE-2024-22024.md

View Code ZIP pw:eip

The repository contains detailed technical writeups for multiple CVEs, including CVE-2024-22024, which involves an XXE vulnerability in Ivanti Connect Secure via SAMLRequest injection. The writeups include vulnerability descriptions, proof-of-concept details, and mitigation recommendations.

Classification

Writeup 95%

Attack Type

Xxe

Complexity

Moderate

Reliability

Reliable

Target: Ivanti Connect Secure

No auth needed

Prerequisites: Access to the vulnerable endpoint · Ability to send crafted SAML requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

Ivanti Connect Secure - XXE

HIGHby watchTowr

Shodan: html:"welcome.cgi?p=logo" || http.title:"ivanti connect secure" || http.html:"welcome.cgi?p=logo"

FOFA: body="welcome.cgi?p=logo" || title="ivanti connect secure"

References (1)

Core 1

Core References

Vendor Advisory

https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

Scores

CVSS v3 8.3

EPSS 0.9425

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2024-02-06

CWE

CWE-611

Status published

Products (5)

ivanti/connect_secure 9.1 r14.4 (3 CPE variants)

ivanti/connect_secure 22.4 r2.2

ivanti/connect_secure 22.5 r1.1 (2 CPE variants)

ivanti/policy_secure 22.5 r1.1

ivanti/zero_trust_access_gateway 22.6 r1.3

Published Feb 13, 2024

Tracked Since Feb 18, 2026